PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-8901 Imagemagick CVE debrief

CVE-2015-8901 is a denial-of-service issue in ImageMagick 6.x before 6.9.0-5 Beta. According to NVD, a crafted MIFF file can trigger an infinite loop, allowing a remote attacker to make the affected process unavailable. The record rates the issue CVSS 3.1 6.5 (medium) and maps it to CWE-835 (Infinite Loop).

Vendor
Imagemagick
Product
CVE-2015-8901
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-27
Original CVE updated
2026-05-13
Advisory published
2017-02-27
Advisory updated
2026-05-13

Who should care

Administrators, developers, and platform owners who use ImageMagick to process user-supplied or otherwise untrusted image files should care most. This is especially relevant for web applications, media pipelines, and services where image conversion or inspection happens automatically.

Technical summary

NVD describes the flaw as a crafted MIFF file causing ImageMagick to enter an infinite loop, resulting in denial of service. The vulnerable range is ImageMagick 6.0 through versions before 6.9.0-5 Beta. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network-reachable impact with no privileges required but with user interaction required.

Defensive priority

Medium. The impact is availability-only, but the issue is remotely triggerable through malicious image content and can affect automated image-processing workflows.

Recommended defensive actions

  • Upgrade ImageMagick to a fixed release at or beyond 6.9.0-5 Beta, or deploy the vendor-recommended patched version if you maintain a packaged build.
  • Inventory systems and applications that invoke ImageMagick on untrusted files, including upload handlers, document converters, thumbnailers, and batch processing jobs.
  • Restrict or sandbox image-processing services so a hung process cannot take down a broader workload.
  • Validate and isolate untrusted image inputs before handing them to ImageMagick, and add timeouts or watchdogs around conversion jobs.
  • Monitor vendor and distribution advisories for backported fixes if you rely on OS-packaged ImageMagick builds.

Evidence notes

The supplied NVD record lists the affected CPE as cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* with versionStartIncluding 6.0 and versionEndExcluding 6.9.0-5. NVD assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and CWE-835. References in the record include an ImageMagick vendor advisory/discussion, oss-security mailing list posts from 2015 and 2016, a Red Hat bug tracker entry, and one broken Trac link.

Official resources

The CVE record was published on 2017-02-27 22:59:00.230Z, with the NVD entry last modified on 2026-05-13 00:24:29.033Z. The supplied references show earlier public discussion in 2015 and 2016, but those dates should not be treated as the CV