CVE-2023-1289: Uncontrolled Recursion Denial of Service in ImageMagick SVG Processing
Vulnerability ID: CVE-2023-1289
CVSS Score: 5.5
Published: 2026-03-12
ImageMagick versions prior to 7.1.1-0 are vulnerable to a Denial of Service (DoS) flaw caused by uncontrolled recursion when parsing specially crafted SVG files. This vulnerability leads to process crashes via stack exhaustion and severe disk space exhaustion due to the generation of massive temporary files.
TL;DR
A vulnerability in ImageMagick's SVG rendering allows attackers to cause a Denial of Service by supplying a recursive SVG file, leading to segmentation faults and rapid disk exhaustion via temporary files.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-674
- CVSS Score: 5.5
- Attack Vector: Local (User Interaction Required)
- Impact: High Availability (DoS)
- Exploit Status: Proof of Concept
- EPSS Probability: 0.10%
Affected Systems
- ImageMagick
- Fedora 36
- Fedora 37
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Debian (Buster/LTS)
- Amazon Linux
- openSUSE
-
ImageMagick: < 7.1.1-0 (Fixed in:
7.1.1-0)
Code Analysis
Commit: c5b23cb
Fix uncontrolled recursion in SVG drawing logic by properly propagating recursion_depth.
Mitigation Strategies
- Upgrade ImageMagick to 7.1.1-0 or later
- Implement restrictive policy.xml limits for disk and memory resources
- Disable the SVG coder entirely via policy.xml if vector processing is not required
Remediation Steps:
- Verify current ImageMagick version running on the system infrastructure
- Update the package via system package manager or compile version 7.1.1-0+
- Modify /etc/ImageMagick-7/policy.xml to restrict SVG resources or disable the coder
- Restart any dependent services (e.g., web servers, application workers) to apply configuration changes
References
Read the full report for CVE-2023-1289 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)