Impact
ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 suffer from a flaw in the SVG decoder that permits injection of arbitrary MVG drawing commands. When ImageMagick renders a crafted SVG file, these injected commands are executed as part of the rendering process. Because these commands are interpreted locally by the ImageMagick engine, they can alter the rendered output or potentially trigger other unintended behaviors.
Affected Systems
The flaw affects all installations of ImageMagick that use the SVG decoder and run versions earlier than 7.1.2-15 or 6.9.13-40. Vendors using ImageMagick versions 7.x before the mentioned patch or 6.9.x before 6.9.13-40 build are vulnerable. The vulnerability is present in an ImageMagick process. The description indicates that the attacker must provide a malicious file, and no additional network privileges are required beyond the ability to supply a malicious SVG file. The CVSS score is 9.2, indicating high severity, and the EPSS score is < 1%, indicating only a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The nature of the flaw allows an attacker to execute arbitrary MVG drawing commands during rendering, making the risk significant for any system that accepts untrusted SVG input.
Risk and Exploitability
The flaw exposes ImageMagick to a command injection that can be triggered by any forged SVG file. The attacker does not need privileged access to the host beyond the ability to provide a file that is processed by ImageMagick. Because the injected commands are interpreted as MVG drawing commands during rendering, the impact is confined to whatever the rendering process can affect—potentially corrupting output or causing denial‑of‑service. The CVSS score of 9.2 is very high, while the EPSS score of < 1 % and absence from KEV suggest it is rarely exploited in the wild. Nevertheless, environments that accept untrusted SVG input remain at risk.
OpenCVE Enrichment