ImageMagick fixes path-policy bypass that can expose restricted files (CVE-2026-25965)

What happened

A new CVE record (CVE-2026-25965) was published for ImageMagick describing a path traversal technique that bypasses ImageMagick's path security policy by exploiting how the policy matcher evaluates the raw (unnormalized) filename before the OS resolves the final path. This can allow reading files that would be expected to be blocked by rules such as /etc/*, resulting in local file disclosure (LFI) even when policy-secure.xml is in use.

Who is impacted

• Anyone running ImageMagick versions < 7.1.2-15 (including the affected range >= 7.0.0, < 7.1.2-15) or < 6.9.13-40.
• Deployments that rely on ImageMagick's policy files to restrict filesystem reads (e.g., image processing services, conversion pipelines, and apps that accept user-controlled image inputs/paths).
• Severity is listed as HIGH (CVSS 3.1 base score 8.6) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.

What to do now

• Upgrade ImageMagick to 7.1.2-15 (7.x) or 6.9.13-40 (6.x).
• If you cannot upgrade immediately, the advisory recommends adding an explicit traversal-blocking rule to your ImageMagick policy:
  • <policy domain="path" rights="none" pattern="*../*"/>
• Review any services where untrusted inputs can influence ImageMagick read paths or conversions, especially in containerized or multi-tenant environments.

Additional Information

• CVE publication timestamp in the CVE record: 2026-02-24T01:20:44.175Z.
• Upstream advisory reference: GHSA-8jvj-p28h-9gm7 (ImageMagick/ImageMagick GitHub Security Advisory).