ImageMagick Policy Bypass Exposes Restricted Content via Path Traversal (CVSS 8.6)

A critical security vulnerability in the Magick.NET-Q16-AnyCPU library, rated CVSS 8.6, allows attackers to bypass security policies and read restricted content via a path traversal flaw. The vulnerability stems from ImageMagick, the underlying engine, where a misconfiguration in secured policy files can be circumvented. This enables unauthorized access to files and directories that should be off-limits, posing a significant data exposure risk for any application processing untrusted image uploads.

The specific package affected is Magick.NET-Q16-AnyCPU version 14.10.2. The flaw is a direct implementation of a security weakness in ImageMagick, where path traversal techniques can be used to escape the confines of a secured policy. The fixed version, 14.11.1, patches this bypass. Automated security tooling has flagged this issue, and remediation is currently in progress, indicating active deployment of the update across dependent projects.

This vulnerability places a wide range of applications at risk, particularly web services, content management systems, and any platform that uses the Magick.NET library for image processing. The high severity score underscores the potential for data breaches and unauthorized information disclosure. Developers and security teams must prioritize updating to version 14.11.1 immediately to close this policy enforcement gap and prevent exploitation of the path traversal weakness.