Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 5.9 NuGet

ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access

GHSA-xwc6-v6g8-pw2h · CVE-2026-25966

Published · Modified

Description

The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams:

<policy domain="path" rights="none" pattern="-"/>

However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”.

To resolve this, users can add the following change to their security policy.

<policy domain="path" rights="none" pattern="fd:*"/>

And this will also be included in ImageMagick's more secure policies by default.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes