CVE-2023-34152
Description
ImageMagick's OpenBlob function with --enable-pipes allows shell command injection via crafted filenames due to incomplete sanitization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick's OpenBlob function with --enable-pipes allows shell command injection via crafted filenames due to incomplete sanitization.
Vulnerability
CVE-2023-34152 is a shell command injection vulnerability in ImageMagick's OpenBlob function when the software is compiled with the --enable-pipes configuration option [1][3]. The flaw occurs because the SanitizeString function only removes single quotes but does not filter other shell metacharacters such as backticks and double quotes, allowing an attacker to inject arbitrary commands through a specially crafted image filename [3]. This vulnerability affects ImageMagick versions where the --enable-pipes option is enabled, and it is an incomplete fix for the earlier CVE-2016-5118 [3].
Exploitation
An attacker must have the ability to supply a malicious image filename to an ImageMagick command (e.g., identify, convert) on a system compiled with --enable-pipes [3]. The attack requires no additional authentication beyond normal file system access. By creating a file whose name contains shell metacharacters such as backticks or double quotes, the attacker can execute arbitrary commands when ImageMagick processes that file. For example, a file named |smile"cat test.txt > leak.txt".gif triggers the injection, where cat test.txt > leak.txt runs as a shell command [3]. No user interaction beyond the standard command execution is required.
Impact
Successful exploitation allows an attacker to execute arbitrary shell commands with the privileges of the ImageMagick process [1][2][3]. This leads to full remote code execution, including unauthorized data access, modification, or system compromise. The impact is limited only by the permissions of the running process and system security controls.
Mitigation
The Red Hat Product Security team has classified this as a configuration issue rather than a vulnerability in the default configuration, closing the bug as NOTABUG [2]. As of the published references, no official patch has been released. The recommended mitigation is to avoid using the --enable-pipes compile-time option unless absolutely necessary, as this feature explicitly enables pipe (shell command) support in filenames [3]. Users who cannot recompile without the option should sanitize filenames manually before passing them to ImageMagick.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6(expand)+ 1 more
- (no CPE)
- (no CPE)
- osv-coords4 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-static
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incomplete input sanitization in SanitizeString allows shell command injection via backticks and double quotes in filenames when pipes are enabled."
Attack vector
An attacker crafts an image file whose filename begins with the pipe character `|` followed by shell metacharacters. When ImageMagick opens this file (e.g., via `magick identify`), `OpenBlob` passes the filename to `popen_utf8`, which invokes a shell. Because `SanitizeString` does not strip backticks or double quotes, the attacker can inject arbitrary shell commands that execute in the context of the ImageMagick process [ref_id=1]. The attacker must have the ability to place a file with a malicious name on the filesystem and then trigger ImageMagick to open it.
Affected code
The vulnerability resides in the `OpenBlob` function of ImageMagick. When the `--enable-pipes` configure option is enabled, `OpenBlob` calls `popen_utf8` on a filename that has been passed through `SanitizeString`. The `SanitizeString` function only filters single quotes but does not filter backticks (`) or double quotes ("), leaving a shell command injection vector open [ref_id=1].
What the fix does
The advisory does not include a patch; it identifies that the existing `SanitizeString` fix for CVE-2016-5118 is incomplete because it only filters single quotes but not backticks or double quotes [ref_id=1]. The remediation would require extending `SanitizeString` to also escape or reject backtick and double-quote characters, or to avoid shell interpretation of the filename entirely when pipes are enabled. No official fix is shown in the provided bundle.
Preconditions
- configImageMagick must be compiled with the --enable-pipes configure option
- inputAttacker must be able to place a file whose name starts with '|' and contains shell metacharacters on the filesystem
- inputA user or automated process must open the maliciously-named file with ImageMagick (e.g., magick identify)
Reproduction
1. Configure ImageMagick with `./configure --enable-pipes`. 2. Create a normal image file (e.g., `smile.gif`). 3. Copy it to a filename starting with `|` containing shell injection payload: `cp smile.gif '|smile"`cat test.txt > leak.txt`".gif'`. 4. Run `magick identify '|smile"`cat test.txt > leak.txt`".gif'`. 5. Observe that the injected command executes (e.g., `cat leak.txt` shows `deadbeef`) [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UFQJCYJ23HWHNDOVKBHZQ7HCXXL6MM3/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/mitrevendor-advisory
- access.redhat.com/security/cve/CVE-2023-34152mitre
- bugzilla.redhat.com/show_bug.cgimitre
- github.com/ImageMagick/ImageMagick/issues/6339mitre
News mentions
0No linked articles in our index yet.