CVE-2026-25965
📋 TL;DR
ImageMagick's path security policy enforcement occurs before filesystem path resolution, allowing path traversal attacks to bypass policy rules like '/etc/*'. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Systems using ImageMagick versions prior to 7.1.2-15 or 6.9.13-40 for image processing are affected.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Imagemagick by Imagemagick
⚠️ Risk & Real-World Impact
Worst Case
Attackers can read sensitive system files like /etc/shadow, /etc/passwd, SSH keys, or configuration files containing credentials, potentially leading to privilege escalation or complete system compromise.
Likely Case
Local file disclosure of sensitive configuration files, potentially exposing credentials, API keys, or other sensitive data stored in readable files.
If Mitigated
With proper policy controls and patched versions, file read operations are blocked, though write operations may still require additional policy configuration.
🎯 Exploit Status
Exploitation requires local access or ability to trigger ImageMagick processing with crafted input. The advisory includes technical details that facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ImageMagick 7.1.2-15 and 6.9.13-40
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7
Restart Required: No
Instructions:
1. Update ImageMagick to version 7.1.2-15 or 6.9.13-40 using your package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade imagemagick' (Debian/Ubuntu) or 'sudo yum update imagemagick' (RHEL/CentOS). 3. Verify the update with 'convert --version' or 'magick --version'.
🔧 Temporary Workarounds
Add write prevention policy
allAdd policy rules to prevent file writing operations as additional protection
Add to policy.xml: <policy domain="coder" rights="none" pattern="*"/> under <policymap> section
Restrict ImageMagick usage
linuxLimit ImageMagick usage to trusted users and applications only
chmod 750 /usr/bin/convert
chmod 750 /usr/bin/magick
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all paths passed to ImageMagick
- Use application-level file access controls instead of relying solely on ImageMagick policies
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version with 'convert --version' or 'magick --version' and compare against patched versions 7.1.2-15 and 6.9.13-40Check Version:
convert --version | head -1 || magick --version | head -1Verify Fix Applied:
After updating, test with a path traversal attempt that should be blocked by the policy📡 Detection & Monitoring
Log Indicators:
- Failed file access attempts to sensitive paths via ImageMagick
- Unusual file read patterns from ImageMagick processes
Network Indicators:
- N/A - local file disclosure vulnerability
SIEM Query:
process.name:"convert" OR process.name:"magick" AND file.path:"/etc/*" OR file.path:"/root/*" OR file.path:"/home/*/.ssh/*"