ImageMagick Policy Bypass: Magick.NET-Q16-AnyCPU Vulnerability (CVSS 8.6) Allows Path Traversal, Restricted Content Read

A critical security vulnerability in the widely used Magick.NET-Q16-AnyCPU library exposes systems to a path traversal attack, allowing attackers to bypass security policies and read restricted content. The flaw, which carries a high CVSS severity score of 8.6, is present in version 14.10.2 and has been patched in the newly released version 14.11.1. Automated remediation processes are already in motion, signaling the urgency of the fix.

The vulnerability stems from the underlying ImageMagick library, which Magick.NET wraps. The specific failure is a policy bypass that can be exploited through crafted path traversal sequences. This means that even if an application has configured ImageMagick security policies (often via `policy.xml`) to restrict file access to certain directories or file types, an attacker could potentially circumvent these restrictions. The core risk is unauthorized access to sensitive files on the server's filesystem that should be off-limits.

This vulnerability poses a direct threat to any application or service that processes user-uploaded images using the affected Magick.NET package. The high CVSS score indicates a significant risk of confidentiality breach. Developers and system administrators must prioritize updating to version 14.11.1 immediately to close this security gap. The automated alert from the OssSecurityAgent underscores that this is an active, tracked issue requiring prompt action to prevent potential data leaks and system compromise.