ImageTragick: A RCE vulnerability in ImageMagick


Multiple vulnerabilities in ImageMagick have been discovered. When submitted images are processed, one of these vulnerabilities can lead to remote code execution (RCE).


ImageMagick is a software tool which is commonly used by webservices to process images. This package is at least used by the following image processing plugins: PHP's imagick, Ruby's rmagick and paperclip, and nodejs's imagemagick. Note that this is no exhaustive list.

Who is affected

The main risk is for webservers.
ImageMagick is cross-platform so the vulnerability can affect Windows and Linux servers alike.

If you run a webservice which allows visitors to upload pictures, check (or have your provider check) whether the libraries/plugins used to handle the images use ImageMagick.


Since one of the vulnerabilities allows for remote code execution (RCE), the impact can be the following, but is not limited to:

  • data leakage;
  • credential theft;
  • denial of service of the system

This is a bug which is relatively easy to exploit, so we expect it to be used in the wild.

What should I do?

These vulnerabilities can be mitigated by doing one of the following:

  • Edit the policy.xml (usually found in /etc/ImageMagick) file and include these lines. This will disable the vulnerable coders.
  • By checking whether images begin with the expected magic bytes, before sending them to ImageMagick to be processed. Magic bytes, are the first few bytes of a file used to identify it's type;

Updates will be made available by ImageMagick this weekend for versions 7.0.1-1 and 6.9.3-10.

External resources