CVE-2024-33871 – This vulnerability in Ghostscript allows arbitr... (How to Fix)

Q: What is the severity of CVE-2024-33871?

CVE-2024-33871 has a CVSS score of 8.8 (HIGH). This vulnerability in Ghostscript allows arbitrary code execution by loading a malicious dynamic library specified in a crafted PostScript document. It affects systems running Ghostscript versions before 10.03.1 that process untrusted PostScript files. The attack can be triggered through document processing applications that use Ghostscript.

📋 TL;DR

This vulnerability in Ghostscript allows arbitrary code execution by loading a malicious dynamic library specified in a crafted PostScript document. It affects systems running Ghostscript versions before 10.03.1 that process untrusted PostScript files. The attack can be triggered through document processing applications that use Ghostscript.

💻 Affected Systems

Products:

Artifex Ghostscript

Versions: All versions before 10.03.1

Operating Systems: All operating systems where Ghostscript is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the opvp and oprp device drivers when processing PostScript documents with custom Driver parameters.

📦 What is this software?

Ghostscript by Artifex

View all CVEs affecting Ghostscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the Ghostscript process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution on systems processing malicious PostScript files, allowing attackers to execute arbitrary commands, install malware, or pivot to other systems.

🟢

If Mitigated

Limited impact if Ghostscript runs in sandboxed environments with minimal privileges and processes only trusted documents.

🌐 Internet-Facing: HIGH - Web applications that process user-uploaded PostScript/PDF files are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal systems processing documents from untrusted sources remain vulnerable, though attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to craft a malicious PostScript document that gets processed by a vulnerable Ghostscript instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.03.1

Vendor Advisory: https://bugs.ghostscript.com/show_bug.cgi?id=707754

Restart Required: No

Instructions:

1. Download Ghostscript 10.03.1 or later from https://www.ghostscript.com 2. Follow installation instructions for your platform 3. Replace existing Ghostscript binaries 4. Test with sample documents to ensure functionality

🔧 Temporary Workarounds

Disable opvp/oprp devices

all

Remove or disable the vulnerable device drivers to prevent exploitation

# For Linux systems: remove gdevopvp.c and gdevoprp.c from installation
# Or modify configuration to exclude opvp/oprp devices

Sandbox Ghostscript execution

linux

Run Ghostscript with minimal privileges in isolated containers or sandboxes

# Example using Docker: docker run --read-only --cap-drop=ALL -v /safe/input:/input ghostscript
# Or use seccomp/apparmor profiles to restrict system calls

🧯 If You Can't Patch

Implement strict input validation to reject PostScript files with custom Driver parameters
Deploy network segmentation to isolate Ghostscript processing systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Run 'gs --version' and check if version is earlier than 10.03.1

Check Version:

gs --version

Verify Fix Applied:

Confirm version is 10.03.1 or later with 'gs --version' and test processing known-safe PostScript files

📡 Detection & Monitoring

Log Indicators:

Ghostscript process spawning unexpected child processes
Unusual library loading attempts in system logs
Errors related to opvp/oprp device initialization

Network Indicators:

Outbound connections from Ghostscript processes to unexpected destinations
File transfers initiated by Ghostscript

SIEM Query:

process_name:"gs" AND (process_spawned:true OR library_load:*opvp* OR library_load:*oprp*)

📊 Metadata

CVE ID: CVE-2024-33871

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 3, 2024

Last Updated: April 16, 2025

🔗 References

https://bugs.ghostscript.com/show_bug.cgi?id=707754 Issue Tracking
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 Patch
https://www.openwall.com/lists/oss-security/2024/06/28/2 Mailing List
https://bugs.ghostscript.com/show_bug.cgi?id=707754 Issue Tracking
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 Patch
https://www.openwall.com/lists/oss-security/2024/06/28/2 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33871, you might also want to check these: