CVE-2022-44268

Vulnerability

ImageMagick version 7.1.0-49 is vulnerable to an information disclosure flaw when parsing PNG images. An attacker can craft a PNG file with a specially crafted text chunk that, when processed (e.g., during a resize operation), causes the resulting image to embed the content of an arbitrary file from the filesystem [1]. The vulnerability only arises if the magick binary has read permissions for the targeted file.

Exploitation

To exploit the vulnerability, an attacker submits a maliciously crafted PNG image to the target system where ImageMagick processes it. No authentication is required beyond the ability to upload or present a PNG file to the application (e.g., via a web upload form or command-line invocation). The processing step (such as convert, identify, or any tool that parses the PNG) triggers the file read [1]. The attacker does not need write access on the target system.

Impact

Successful exploitation results in information disclosure: the output image contains the contents of any file that the ImageMagick process can read. This can leak sensitive data such as application configuration files, environment variables, SSH keys, or source code. The impact is limited to file content exposure; arbitrary code execution or modification of data is not achieved directly.

Mitigation

The vulnerability was fixed in later releases of ImageMagick. Upgrading to version 7.1.0-50 or newer (the current stable release as of the advisory is 7.1.2-23) eliminates the flaw [1]. If upgrading is not immediately possible, organizations can restrict file system access for the ImageMagick process using security policies (e.g., policy.xml to limit allowed file paths) and avoid processing PNG images from untrusted sources.