Mitigating ImageMagick vulnerabilities in Node.js

Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe which disables the vulnerable features, protecting against the known exploits.

TL; DR

ImageMagick is an extremely popular library and binary for manipulating images. Amongst other uses, it’s often used to process user generated content, such as avatar images, product photos or displaying images in social channels.

Earlier this week, multiple severe and easily exploited vulnerabilities in ImageMagick were disclosed. There is no official fix yet, but it can be mitigated by disabling certain features.

In Node.js, ImageMagick is primarily invoked through the imagemagick npm package. This package has not been updated in over 2 years, and so is unlikely to help address this issue.

To help protect Node.js ImageMagick users, we released a dedicated npm package called imagemagick-safe, which disables the vulnerable features. We also submitted a pull request with this change to the imagemagick package GitHub repo, but given the repo’s inactivity we think it’s unlikely it’ll be pulled in.

ImageTragick - background

The disclosed vulnerabilities are especially noteworthy for three reasons:

1. Some of the vulnerabilities are extremely severe, allowing attackers to execute commands on the server, expose server files and more.

2. The vulnerabilities trivial to exploit, requiring no more than a purpose-built image file and a single HTTP request.

3. There is still no official fix available.

4. The vulnerabilities are known to be exploited in the wild.

The whole incident is being referred to as ImageTragick, and you can find more detail about the vulnerabilities on its dedicated website, imagetragick.com.

Cause & mitigation

From what is currently known, the vulnerabilities are all related to the processing of specific image file types and keywords, such as MVG, URL and HTTPS. The file types support an internal action (e.g. include another image) and the processing of these actions is not sufficiently sanitized, enabling remote command execution. Here’s an example of an exploit, copied from the official vulnerability website:

Sample exploit.svg

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";> 
<svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink= "http://www.w3.org/1999/xlink";> 
<image xlink:href="https://example.com/image.jpg"|ls "-la" 
x="0" y="0" height="640px" width="480px"/>

Sample execution

$ convert exploit.mvg out.png
total 32
drwxr-xr-x 6 user group 204 Apr 29 23:08 .
drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..

The way to disable support for these formats and keywords is by editing ImageMagick’s (optional) policy.xml configuration file, ensuring it includes the content below. Doing so will actually remove some functionality, but will also address the vulnerabilities. Note that editing the policy is not guaranteed to address all possible exploits, but the vulnerability researchers claim it blocks all those currently known to them.

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" /> 
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

imagemagick-safe npm package

Given that the primary imagemagick package is not active, we created a new package called imagemagick-safe.

This package forces the use of the above policy, disabling features but removing vulnerabilities in the process. We recommend you use it until new ImageMagick binaries are released, and you’ve confirmed your systems are upgraded.

Note you can also use ImageMagick via the gm package, we’re looking at submitting a pull request there too.

If you find issues or otherwise have feedback about this package, please let us know at support@snyk.io.