CVE-2023-34153
Description
ImageMagick shell command injection via video:vsync or video:pixel-format options allows arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick shell command injection via video:vsync or video:pixel-format options allows arbitrary command execution.
Vulnerability
A shell command injection vulnerability exists in ImageMagick (versions before a fix, likely 7.1.0-1 and earlier) in the VIDEO encoding/decoding path. The issue arises because user-supplied values for the video:vsync or video:pixel-format options are concatenated into a delegate command string without proper sanitization. The ExternalDelegateCommand function uses SanitizeString to block characters like &, ;, <, >, |, but does not block double quotes, allowing command injection via a crafted option value [1][3].
Exploitation
An attacker can trigger the vulnerability by providing a specially crafted value for -define video:pixel-format (or video:vsync) when processing a video file with ImageMagick. No authentication is needed; the attacker must only have the ability to supply the define option to a vulnerable ImageMagick version. The injected command executes in the context of the ImageMagick process. For example, using -define video:pixel-format='rgba"cat test.txt > /tmp/leak.txt"' demonstrates command injection during an identify operation [3].
Impact
Successful exploitation allows an attacker to execute arbitrary shell commands with the privileges of the user running ImageMagick. This can lead to complete compromise of the system depending on the user's permissions, including reading sensitive files, modifying data, or establishing persistent access. The vulnerability is rated high severity [2].
Mitigation
Red Hat has marked this as "Won't Fix" for certain products (e.g., Red Hat Enterprise Linux), indicating that the vulnerability will not be patched in those distributions [2]. Upstream ImageMagick developers should be consulted for a fix; as of the published references, no official patch version is confirmed. Users are advised to avoid processing untrusted video files with the video: delegate, or to restrict use of -define for video:* options. Using a non-vulnerable version (if patched later) is the primary mitigation [3].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13(expand)+ 1 more
- (no CPE)
- (no CPE)
- osv-coords11 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-staticpkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5
< 0+ 10 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.1.17-1.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
- (no CPE)range: < 7.1.0.9-150400.6.21.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient sanitization in SanitizeString allows double-quote characters to break out of quoted arguments, enabling shell command injection via video:vsync or video:pixel-format options."
Attack vector
An attacker can inject shell commands by supplying a crafted value for the `video:pixel-format` or `video:vsync` define option during VIDEO encoding or decoding. Because `SanitizeString` does not block the double-quote character, the attacker can break out of the quoted argument and inject arbitrary commands using backticks or `$()` syntax. The injected commands are executed via `system()` when the delegate command is run. The attack requires the attacker to control the `-define` argument passed to ImageMagick (e.g., `magick identify -define video:pixel-format='rgba"`cat test.txt > /tmp/leak.txt`"' test.mov`) [ref_id=1].
Affected code
The vulnerability resides in the VIDEO decode delegate execution path introduced in commit cc4638d and the `ExternalDelegateCommand` function. ImageMagick supports user-defined options `video:vsync` and `video:pixel-format`, whose values are concatenated into a delegate command string that is passed to `ExternalDelegateCommand`. The `SanitizeString` function used there only blocks the characters `&;<>|` but does not block the double-quote character (`"`), leaving the door open for command injection [ref_id=1].
What the fix does
The advisory does not include a published patch for this specific CVE. The researcher notes that the root cause is the same mistake as in the `-authenticate` parameter sanitization for PDF password support, where the common vulnerability in `ExternalDelegateCommand` was not fixed. The remediation would require extending the `SanitizeString` character blacklist to include the double-quote character (`"`) or, more robustly, switching to a safer argument-passing mechanism that avoids shell interpretation entirely [ref_id=1].
Preconditions
- inputAttacker must be able to supply a -define argument with video:pixel-format or video:vsync to an ImageMagick command
- configImageMagick must be configured to use the VIDEO delegate (e.g., ffmpeg) for encoding or decoding
Reproduction
1. Create a test file with content to exfiltrate: `echo 'deadbeef' > test.txt` 2. Run the identify command with a crafted `video:pixel-format` define: `magick identify -define video:pixel-format='rgba"`cat test.txt > /tmp/leak.txt`"' test.mov` 3. Verify the injected command executed: `cat /tmp/leak.txt` should output `deadbeef` 4. Alternatively, trigger via encoding: `magick convert -define video:pixel-format='rgba"`cat test.txt > /tmp/leak3.txt`"' smile.gif smile.mov` [ref_id=1]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UFQJCYJ23HWHNDOVKBHZQ7HCXXL6MM3/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/mitrevendor-advisory
- access.redhat.com/security/cve/CVE-2023-34153mitre
- bugzilla.redhat.com/show_bug.cgimitre
- github.com/ImageMagick/ImageMagick/issues/6338mitre
News mentions
0No linked articles in our index yet.