CVE-2017-6502 Imagemagick CVE debrief

Who should care

Operators and developers running ImageMagick 6.9.7, especially services that process user-supplied WebP images. SRE and operations teams should also care if resource exhaustion, file-descriptor limits, or repeated image-processing jobs could affect service availability.

Technical summary

According to NVD, processing a crafted WebP image in ImageMagick 6.9.7 can leak file descriptors in libmagickcore. Repeated processing can consume available descriptors and cause denial of service through availability exhaustion. The NVD entry maps the issue to CWE-119 and references an upstream ImageMagick patch commit.

Defensive priority

Medium. Prioritize this if ImageMagick is in a production image-ingest path or handles untrusted WebP content, because descriptor leakage can still disrupt availability even without code execution.

Recommended defensive actions

• Apply the upstream ImageMagick fix referenced by commit 126c7c98ea788241922c30df4a5633ea692cf8df.
• Inventory systems using ImageMagick 6.9.7 and identify any WebP processing paths.
• Limit exposure of untrusted image uploads to isolated, least-privilege processing environments.
• Monitor image-processing workers for rising open file descriptor counts or resource exhaustion, and restart affected services if leakage is observed.

Evidence notes

The supplied NVD record states: "A specially crafted webp file could lead to a file-descriptor leak in libmagickcore (thus, a DoS)." It lists the vulnerable CPE cpe:2.3:a:imagemagick:imagemagick:6.9.7:*:*:*:*:*:*:*, the CVSS v3.0 vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and weakness CWE-119. References include SecurityFocus BID 96763 and the upstream ImageMagick patch commit 126c7c98ea788241922c30df4a5633ea692cf8df.

Official resources