ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick's secure policy blocks standard streams with '-' pattern but misses 'fd:*' pseudo-filenames, enabling bypass; fixed in versions 7.1.2-15 and 6.9.13-40.
ImageMagick's "secure" security policy includes a rule to prevent reading from or writing to standard streams by blocking the "-" filename pattern. However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1) that are not covered by this rule. Prior to versions 7.1.2-15 and 6.9.13-40, the policy templates omit blocking the "fd:*" pattern, allowing an attacker to bypass the intended stdin/stdout restriction [2][4].
An attacker who can supply an input or output filename to ImageMagick (or an application using it) can specify fd:0 for stdin or fd:1 for stdout. This bypasses the secure policy and may enable reading from stdin or writing to stdout even when the policy explicitly prohibits it. The vulnerability is identified as GHSA-xwc6-v6g8-pw2h and is listed among security fixes in related software [3].
The impact is a security policy bypass that can lead to unintended access to standard streams, potentially allowing data leakage or injection depending on the context in which ImageMagick is used. Since the secure policy is intended to restrict file operations, this bypass undermines the protection goal [2].
The issue is patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 by adding "" to the secure policy templates [4]. As a workaround, users can manually add this rule to their security policy configuration [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-QMagick.NET-Q16-x8616-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x86NuGet | < 14.10.3 | 14.10.3 |
Affected products
2prior to 7.1.2-15 and 6.9.13-40+ 1 more
- (no CPE)range: prior to 7.1.2-15 and 6.9.13-40
- (no CPE)range: >= 7.0.0, < 7.1.2-15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-xwc6-v6g8-pw2hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25966ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/8d4c67a90ae458fb36393a05c0069e9123ac174cghsaWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2hghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3ghsaWEB
News mentions
0No linked articles in our index yet.