ImageMagick path-policy bypass exposes restricted files
TL;DR — A path traversal technique bypasses ImageMagick's security policy, allowing read access to files that should be restricted by policy-secure.xml.
What happened
ImageMagick is a widely-used open-source image processing library used by web applications and services to resize, convert, and manipulate images. A new CVE record describes a path traversal technique that bypasses ImageMagick's path security policy by exploiting how the policy matcher evaluates the raw (unnormalized) filename before the OS resolves the final path. This enables reading files that should be blocked by rules such as /etc/*, resulting in local file disclosure even when policy-secure.xml is in use.
ImageMagick policy bypasses have been a persistent pain point — this is at least the third path-based policy circumvention in the last two years, underscoring why defense-in-depth (container isolation, read-only mounts) matters alongside policy configuration.
Who is impacted
- ImageMagick versions
< 7.1.2-15(7.x line) and< 6.9.13-40(6.x line). - Deployments relying on ImageMagick's policy files to restrict filesystem reads (e.g., image processing services accepting user-controlled inputs).
- Severity: CVSS 3.1 base score 8.6 (High).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- If you cannot patch immediately, add an explicit traversal-blocking rule to your policy:
<policy domain="path" rights="none" pattern="*../*"/> - Review services where untrusted inputs can influence ImageMagick read paths, especially in containerized or multi-tenant environments.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.