CVE-2026-25965
Path Traversal in ImageMagick Enables Local File Disclosure
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-25965 is a high-severity vulnerability in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. It involves a bypass of the path security policy through path traversal sequences. ImageMagick enforces path security policies on the raw filename string before the filesystem resolves it. This means that a policy rule like /etc/* can be circumvented by using path traversal sequences such as ../. The operating system resolves these sequences and allows access to sensitive files, but the policy matcher only sees the unnormalized path and therefore permits the read operation. This results in local file disclosure (LFI) even when a secured policy like policy-secure.xml is applied.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized local file disclosure, allowing an attacker to read sensitive files on the system where ImageMagick is running. It requires no privileges or user interaction and can be exploited remotely over the network with low complexity. The impact is a high loss of confidentiality, meaning sensitive information could be exposed. However, it does not affect the integrity or availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves a path traversal bypass in ImageMagick's policy enforcement, allowing unauthorized reading of restricted files. Detection would involve identifying attempts to exploit path traversal sequences in file paths processed by ImageMagick."}, {'type': 'paragraph', 'content': "Since the vulnerability is triggered by path traversal patterns like '../' in filenames passed to ImageMagick, monitoring logs or commands invoking ImageMagick with such patterns could help detect exploitation attempts."}, {'type': 'paragraph', 'content': 'Specific commands to detect exploitation attempts are not provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, it is recommended to update ImageMagick to versions 7.1.2-15 or 6.9.13-40 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': 'Additionally, add a policy rule to deny rights to any path containing traversal sequences to prevent bypass, for example:'}, {'type': 'list_item', 'content': '<policy domain="path" rights="none" pattern="*../*"/>'}, {'type': 'paragraph', 'content': 'This rule will block any file access attempts involving path traversal sequences, enhancing security even if the policy-secure.xml is applied.'}] [1]