ImageMagick Policy Bypass Exposed: Magick.NET-Q16-AnyCPU Path Traversal Flaw (CVSS 8.6) Triggers Auto-Remediation

A critical security vulnerability in the widely used Magick.NET-Q16-AnyCPU library has triggered automated remediation efforts. The flaw, a path traversal weakness in the underlying ImageMagick engine, carries a high-severity CVSS score of 8.6. It allows attackers to bypass configured security policies, potentially reading restricted files and content that should be inaccessible, despite the presence of a secured policy. This represents a direct failure of intended security controls within a core image processing component.

The vulnerability is specifically tied to version 14.10.0 of the Magick.NET-Q16-AnyCPU package. The root cause lies in ImageMagick's handling of file paths, which can be manipulated to traverse outside of permitted directories. The issue was identified and flagged by an automated security agent (OssSecurityAgent), highlighting the integration of such tools into the software supply chain. A fix is available in version 14.11.1, and the system has automatically initiated an update process for the affected package.

This incident underscores the persistent risk of policy bypass vulnerabilities in foundational open-source libraries. The automated response indicates a move towards proactive, rather than reactive, security postures in development pipelines. However, the high severity score signals that any delay in applying the patch leaves dependent applications exposed to data exfiltration risks. Organizations and developers relying on this library must verify their systems have been updated to the patched version to close this security gap.