Impact
GD::Image::_make_filehandle opens a supplied filename using the insecure two-argument open function, meaning that values beginning with a pipe or ending with a pipe or containing a redirection operator are interpreted as shell commands or redirection directives rather than file paths. An attacker who can supply such a crafted filename can execute arbitrary OS commands or truncate files under the privileges of the running process. This flaw is identified as CWE-73 and CWE-78 and can lead to full system compromise or data loss.
Affected Systems
The vulnerability affects all versions of the RURBAN:GD Perl library older than 2.86. Any constructor that accepts a filename argument—including new, newFromPng, newFromJpeg, and others—uses the flawed _make_filehandle path. In-memory data constructors that do not open a path are immune.
Risk and Exploitability
Based on the description, it is inferred that the likely attack vector is a malicious pathname supplied to GD::Image constructors via web input, file uploads, or API calls. A CVSS score of 9.8 marks the issue as critical, and the EPSS score of 1% indicates a current low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability with relatively minimal effort by using the inferred attack vector. The damage depends on the host process privileges, potentially allowing remote code execution or destructive file overwrite.
OpenCVE Enrichment
Debian DLA
Debian DSA
Ubuntu USN