Multiple vulnerabilities in ImageMagick have been discovered. When submitted images are processed, one of these vulnerabilities can lead to remote code execution (RCE).
ImageMagick is a software tool which is commonly used by webservices to process images. This package is at least used by the following image processing plugins: PHP's imagick, Ruby's rmagick and paperclip, and nodejs's imagemagick. Note that this is no exhaustive list.
The main risk is for webservers.
ImageMagick is cross-platform so the vulnerability can affect Windows and Linux servers alike.
If you run a webservice which allows visitors to upload pictures, check (or have your provider check) whether the libraries/plugins used to handle the images use ImageMagick.
Since one of the vulnerabilities allows for remote code execution (RCE), the impact can be the following, but is not limited to:
This is a bug which is relatively easy to exploit, so we expect it to be used in the wild.
These vulnerabilities can be mitigated by doing one of the following:
Updates will be made available by ImageMagick this weekend for versions 7.0.1-1 and 6.9.3-10.