Impact
ImageMagick’s distributed pixel cache was originally designed without a challenge–response authentication model, allowing an attacker to read pixel data that the server accessed. This flaw can expose image contents to unauthorized parties, compromising confidentiality of image assets. The weakness is classified as CWE-200 (Information Disclosure) and CWE-306 (Authentication Failure).
Affected Systems
The vulnerability affects all deployments of ImageMagick prior to versions 6.9.13‑48 and 7.1.2‑23. Users running older releases of ImageMagick, including any custom builds that enable the distributed pixel cache, are potentially impacted and should verify their current version.
Risk and Exploitability
The CVSS score of 4.1 indicates a moderate risk. The EPSS score of < 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploits in the wild. If the pixel cache server is exposed to the network, the attack vector is likely remote, as an adversary could connect to the server and retrieve pixel data. If the server is isolated, the risk may be limited to local or compromised hosts.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA