Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

While that may have been true in 2014, today it's hard to find an exploitable bug affecting a major image format parser in ImageMagick. Assuming you aren't using unsanitized user-provided parameters on the command line with it, it should be fine unless your attacker is very motivated.



There was an RCE vulnerability this year: https://imagetragick.com/


ImageTragick did not affect major image formats; it was a vulnerability in the parser for ImageMagick's scripting languages [1]. The real problem was that support for scripting was enabled by default, and there was no obvious big red button to disable it.

[1] Like MVG (http://www.imagemagick.org/script/magick-vector-graphics.php) and MSL (http://www.imagemagick.org/script/conjure.php)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: