CVE-2026-25965 in ImageMagick
Summary
by MITRE • 02/24/2026
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15 and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy. This will also be included in ImageMagick's more secure policies by default.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/01/2026
CVE-2026-25965 represents a critical path traversal vulnerability in ImageMagick that fundamentally undermines the software's security policy enforcement mechanisms. This vulnerability exists in versions prior to 7.1.2-15 and 6.9.13-40 where the path security policy operates on raw filename strings before the operating system resolves filesystem paths. The flaw creates a dangerous discrepancy between the policy matcher's view of file paths and the actual filesystem resolution process. When policy rules such as /etc/* are applied, attackers can exploit this weakness through carefully crafted path traversal sequences that the OS resolves to sensitive files while the policy enforcement system only examines the unnormalized path string. This architectural weakness directly maps to CWE-22 Path Traversal vulnerabilities and represents a classic case of improper input validation in security-critical software components. The vulnerability enables local file disclosure attacks that can access sensitive system files, configuration data, and potentially confidential information stored in protected directories.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass potential privilege escalation and data exfiltration scenarios. Attackers can leverage this weakness to bypass security restrictions that are supposed to prevent access to critical system resources such as configuration files, authentication data, and system logs. The vulnerability affects ImageMagick's core functionality where it processes digital images and handles various file formats, making it particularly dangerous in environments where the software processes untrusted input from users or external sources. Security policies that should protect against unauthorized file access become ineffective due to the premature evaluation of path strings. This issue particularly impacts web applications and services that utilize ImageMagick for image processing, as these systems often process user-uploaded content without proper sanitization of file paths. The vulnerability demonstrates a fundamental flaw in how path normalization and security policy enforcement interact within the software stack.
The remediation approach for CVE-2026-25965 requires both immediate software updates to versions 7.1.2-15 and 6.9.13-40 where the path resolution and policy enforcement have been properly synchronized. However, administrators must also implement additional protective measures to ensure comprehensive security coverage. The fix addresses not only reading but also writing operations that could be exploited through similar path traversal techniques. Organizations should incorporate specific policy configurations that explicitly prevent both read and write operations on sensitive filesystem locations. The updated ImageMagick security policies now include default protections against these types of attacks, aligning with ATT&CK technique T1059 Command and Scripting Interpreter and T1566 Phishing with malicious file attachments. System administrators should review existing security policies and ensure that the updated policy files properly enforce both input validation and output sanitization. This vulnerability underscores the importance of proper path normalization in security-critical applications and demonstrates how seemingly minor implementation details can create significant security weaknesses. The fix ensures that path traversal attempts are properly detected and blocked at the filesystem resolution level rather than relying on premature policy matching that can be bypassed through path manipulation techniques.