ImageMagick: Policy Bypass in PSD decoder

Vulnerability

A missing check in the PSD decoder of ImageMagick (all versions prior to the fix in the associated advisory) allows an attacker to bypass the list-length resource policy when decoding a crafted PSD image. Other security limits remain in effect. The affected versions include ImageMagick itself and the Magick.NET NuGet packages (e.g., Magick.NET-Q16-AnyCPU) before version 14.13.1 [1][2].

Exploitation

The attacker must supply a specially crafted PSD image to an application or service that uses ImageMagick to decode images. No authentication or special privileges are required, and no user interaction beyond triggering the decode (e.g., viewing the image) is needed. The attack can be performed remotely over a network [3]. The exploitation sequence involves sending the malicious PSD file to the target, which then decodes it and bypasses the list-length limit.

Impact

Successful exploitation allows the attacker to bypass the resource policy intended to limit resource consumption (e.g., memory used by image layers). This could lead to excessive resource consumption, resulting in a denial-of-service (DoS) condition as the application may exhaust available memory or processing time. The CVSS vector notes impacts on availability as the primary concern [3].

Mitigation

The fix is included in ImageMagick version 14.13.1 (and corresponding Magick.NET packages) as noted in the GitHub advisory [2]. Users should upgrade to these patched versions. No workaround is available; however, other security limits (e.g., memory, map, disk) still apply and may partially mitigate the impact. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.