Snyk Blog

Mitigating ImageMagick vulnerabilities in Node.js

Written by:
Guy Podjarny
Guy Podjarny

May 6, 2016

0 mins read

Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe which disables the vulnerable features, protecting against the known exploits.

TL; DR

ImageMagick is an extremely popular library and binary for manipulating images. Amongst other uses, it’s often used to process user generated content, such as avatar images, product photos or displaying images in social channels.

Earlier this week, multiple severe and easily exploited vulnerabilities in ImageMagick were disclosed. There is no official fix yet, but it can be mitigated by disabling certain features.

In Node.js, ImageMagick is primarily invoked through the imagemagick npm package. This package has not been updated in over 2 years, and so is unlikely to help address this issue.

To help protect Node.js ImageMagick users, we released a dedicated npm package called imagemagick-safe, which disables the vulnerable features. We also submitted a pull request with this change to the imagemagick package GitHub repo, but given the repo’s inactivity we think it’s unlikely it’ll be pulled in.

ImageTragick - background

The disclosed vulnerabilities are especially noteworthy for three reasons:

  1. Some of the vulnerabilities are extremely severe, allowing attackers to execute commands on the server, expose server files and more.

  2. The vulnerabilities trivial to exploit, requiring no more than a purpose-built image file and a single HTTP request.

  3. There is still no official fix available.

  4. The vulnerabilities are known to be exploited in the wild.

The whole incident is being referred to as ImageTragick, and you can find more detail about the vulnerabilities on its dedicated website, imagetragick.com.

Cause & mitigation

From what is currently known, the vulnerabilities are all related to the processing of specific image file types and keywords, such as MVG, URL and HTTPS. The file types support an internal action (e.g. include another image) and the processing of these actions is not sufficiently sanitized, enabling remote command execution. Here’s an example of an exploit, copied from the official vulnerability website:

Sample exploit.svg

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";> 
<svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink= "http://www.w3.org/1999/xlink";> 
<image xlink:href="https://example.com/image.jpg"|ls "-la" 
x="0" y="0" height="640px" width="480px"/>

Sample execution

$ convert exploit.mvg out.png
total 32
drwxr-xr-x 6 user group 204 Apr 29 23:08 .
drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..

The way to disable support for these formats and keywords is by editing ImageMagick’s (optional) policy.xml configuration file, ensuring it includes the content below. Doing so will actually remove some functionality, but will also address the vulnerabilities. Note that editing the policy is not guaranteed to address all possible exploits, but the vulnerability researchers claim it blocks all those currently known to them.

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" /> 
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

imagemagick-safe npm package

Given that the primary imagemagick package is not active, we created a new package called imagemagick-safe.

This package forces the use of the above policy, disabling features but removing vulnerabilities in the process. We recommend you use it until new ImageMagick binaries are released, and you’ve confirmed your systems are upgraded.

Note you can also use ImageMagick via the gm package, we’re looking at submitting a pull request there too.

If you find issues or otherwise have feedback about this package, please let us know at support@snyk.io.

Live Hack: Exploiting AI-Generated Code

Gain insights into best practices for utilizing generative AI coding tools securely in our upcoming live hacking session.

Register now

Posted in:Vulnerability Insights

Level Up Your CI/CD Pipelines

See how these 8 tips can help you catch security issues in the pipe BEFORE you push to production ⭐️

See the cheatsheet
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon