CVE-2019-13574
Description
In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MiniMagick before 4.9.4 allows remote command execution via crafted image URLs due to unsanitized input to Kernel#open.
Root
Cause
CVE-2019-13574 arises because the MiniMagick::Image.open method passes user-supplied input directly to Ruby's Kernel#open. Kernel#open interprets a pipe character (|) as a command separator, allowing arbitrary shell commands to be executed when a specially crafted URL or filename is provided [1][2].
Exploitation
An attacker can exploit this by providing a malicious image URL containing a pipe and a command, e.g., http://example.com/image.jpg|command. No authentication is required if the application accepts user-controlled URLs for image processing. The vulnerability is triggered upon opening the image with MiniMagick, which is a common operation in web applications that resize or process user-submitted images [2][4].
Impact
Successful exploitation allows remote command execution with the privileges of the Ruby process. This can lead to full compromise of the application server, including data theft, service disruption, or further lateral movement within the network [2][4].
Mitigation
The vulnerability is fixed in MiniMagick version 4.9.4. Users should upgrade immediately. For Debian systems, updates are available for oldstable (stretch) and stable (buster) via DSA-4481-1 [4]. No workaround is documented other than upgrading.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mini_magickRubyGems | < 4.9.4 | 4.9.4 |
Affected products
2- MiniMagick/MiniMagickdescription
Patches
14cd5081e5881Don't allow remote shell execution
2 files changed · +14 −8
lib/mini_magick/image.rb+6 −8 modified@@ -82,17 +82,15 @@ def self.import_pixels(blob, columns, rows, depth, map, format = 'png') def self.open(path_or_url, ext = nil, options = {}) options, ext = ext, nil if ext.is_a?(Hash) - ext ||= - if File.exist?(path_or_url) - File.extname(path_or_url) - else - File.extname(URI(path_or_url).path) - end + uri = URI(path_or_url.to_s) + ext ||= File.extname(uri.path) ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon - Kernel.open(path_or_url, "rb", options) do |file| - read(file, ext) + if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP) + uri.open(options) { |file| read(file, ext) } + else + File.open(uri.to_s, "rb", options) { |file| read(file, ext) } end end
spec/lib/mini_magick/image_spec.rb+8 −0 modified@@ -76,6 +76,14 @@ expect(File.extname(image.path)).to eq ".jpg" end + it "doesn't allow remote shell execution" do + expect { + described_class.open("| touch file.txt") # Kernel#open accepts this + }.to raise_error(URI::InvalidURIError) + + expect(File.exist?("file.txt")).to eq(false) + end + it "accepts open-uri options" do stub_request(:get, "http://example.com/image.jpg") .with(headers: {"Foo" => "Bar"})
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-r7j3-vvh2-xrpjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-13574ghsaADVISORY
- www.debian.org/security/2019/dsa-4481ghsavendor-advisoryx_refsource_DEBIANWEB
- benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4ghsaWEB
- benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/mitrex_refsource_MISC
- github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851ghsax_refsource_MISCWEB
- github.com/minimagick/minimagick/compare/d484786...293f9bbghsax_refsource_MISCWEB
- github.com/minimagick/minimagick/releases/tag/v4.9.4ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/mini_magick/CVE-2019-13574.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2019/10/msg00007.htmlghsamailing-listx_refsource_MLISTWEB
- seclists.org/bugtraq/2019/Jul/20ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.