Arbitrary Code Execution in `AppImage` version `ImageMagick`
Description
ImageMagick AppImage's empty paths in environment variables allow arbitrary code execution via malicious config or library files in current directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick AppImage's empty paths in environment variables allow arbitrary code execution via malicious config or library files in current directory.
Vulnerability
The AppImage version of ImageMagick (prior to 7.11-36) sets the MAGICK_CONFIGURE_PATH and LD_LIBRARY_PATH environment variables in its AppRun script in a way that can include empty path segments. For example, when no pre-existing value is set, the exported paths may begin or end with a colon (e.g., ::/some/path:), effectively including the current working directory as an empty path component. This allows ImageMagick to load configuration files or shared libraries from an arbitrary directory if an attacker can place malicious files there. The issue is present in the AppRun script as seen in references [1] and [3].
Exploitation
An attacker with the ability to write files to the current working directory where a victim runs the ImageMagick AppImage can craft a malicious magic.xml or other configuration file, or a malicious shared library, that will be loaded by ImageMagick due to the empty path being interpreted as the current directory. The attacker does not require elevated privileges or authentication beyond the ability to place files in the victim’s working directory (e.g., via a shared folder or by tricking the user into extracting a malicious archive). The victim must execute the AppImage from that directory, triggering the environment variable expansion.
Impact
Successful exploitation leads to arbitrary code execution in the context of the user running ImageMagick. The attacker can achieve full compromise of the user’s session, including data theft, malware installation, or lateral movement, depending on the user’s privileges.
Mitigation
The vulnerability is fixed in ImageMagick version 7.11-36, released on or before 2024-07-29 [1]. The fix, visible in the commit at reference [2], ensures that environment variable assignments do not introduce empty path components by using proper colon-delimiting with parameter expansion (${VAR:+:$VAR}). Users of the AppImage should upgrade to version 7.11-36 or later. No workaround is available for earlier versions; the only mitigation is to avoid running the AppImage in directories writable by untrusted users.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7<7.11-36+ 1 more
- (no CPE)range: <7.11-36
- (no CPE)range: < 7.11-36
- osv-coords5 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-staticpkg:deb/ubuntu/imagemagick
< 0+ 4 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
3- github.com/ImageMagick/ImageMagick/blob/3b22378a23d59d7517c43b65b1822f023df357a0/app-image/AppRunmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/commit/6526a2b28510ead6a3e14de711bb991ad9abff38mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.