VDB
GSD-2023-1289
GSD-2023-1289
PUBLISHED
A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | ImageMagick | Fixed-in ImageMagick v7.1.1-0 |
Timeline
- Jul 12, 2001 CVE Published
- Jun 9, 2023 PoC Published
- Jul 15, 2023 PoC Published
- Nov 4, 2023 PoC Published
- Dec 8, 2023 PoC Published
- Mar 1, 2024 PoC Published
- Apr 5, 2024 PoC Published
- Jul 17, 2024 PoC Published
- May 9, 2025 PoC Published
- Sep 30, 2025 PoC Published
- Oct 11, 2025 PoC Published
- Oct 12, 2025 PoC Published
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2176858 url
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr url
- https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4 url
- [debian-lts-announce] 20240222 [SECURITY] [DLA 3737-1] imagemagick security update mailing-list