Cyber Resilience

CVE-2024-41817

HighPublic PoC

Published: 29 July 2024

Published
29 July 2024
Modified
20 November 2025
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1859 95.4th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41817 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ImageMagick's AppImage packaging is affected by an untrusted search path vulnerability (CWE-427) in which the AppRun script sets the MAGICK_CONFIGURE_PATH and LD_LIBRARY_PATH environment variables to include an empty entry. This occurs because the script constructs the paths without properly handling the current working directory, allowing the ImageMagick 7.x AppImage (prior to version 7.11-36) to load configuration files or shared libraries from that location during execution.

An attacker with local access and the ability to write to a victim's current working directory can exploit the flaw by placing a malicious configuration file or library with a predictable name. When a user or process subsequently runs the AppImage, ImageMagick will load the attacker's code, resulting in arbitrary code execution with the privileges of the ImageMagick process. The CVSS 7.0 score reflects the local attack vector, high complexity, and low privileges required, with no user interaction needed.

The GitHub Security Advisory GHSA-8rxc-922v-phg8 and the referenced commit 6526a2b28510ead6a3e14de711bb991ad9abff38 document the root cause in the AppRun script and confirm the issue is resolved in ImageMagick 7.11-36 by ensuring the environment variables do not contain empty path components. The EPSS score has remained near 0.19 with only minor fluctuation since disclosure.

EU & UK References

Vulnerability details

ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution…

more

by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

imagemagick
imagemagick
7.0.11-13 — 7.1.1-36

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References