MEDIUM 5.3

CVE-2026-45031: ImageMagick PSD Decoder Resource Policy Bypass

ImageMagick, a widely-used open-source image processing tool, contains a vulnerability in its PSD (Photoshop) file decoder that allows an attacker to circumvent resource limits designed to prevent denial-of-service attacks. By crafting a malicious PSD file, an attacker can cause excessive resource consumption during image decoding, potentially disrupting services that rely on ImageMagick to process untrusted image uploads. The vulnerability affects versions prior to 6.9.13-47 and 7.1.2-22, and patches are now available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-400, CWE-770
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-15

NVD description (verbatim)

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient validation in ImageMagick's PSD decoder module. Specifically, the decoder fails to properly enforce the list-length resource policy—a mechanism designed to cap the maximum number of elements processed during image decode operations. This missing check falls under improper resource validation (CWE-400) and uncontrolled resource consumption patterns (CWE-770). An attacker can exploit this by embedding a crafted PSD file with an abnormally large list structure, bypassing the intended resource limit and triggering uncontrolled memory or CPU consumption. Other security limits within ImageMagick (such as image dimensions or total pixel counts) continue to apply, which constrains the overall blast radius.

Business impact

Organizations using ImageMagick in production—particularly those processing user-supplied images for thumbnails, preview generation, or format conversion—face availability risk. A denial-of-service attack targeting the PSD decoder could consume server resources (memory or CPU), degrading performance or crashing image processing pipelines. Content management systems, web services, and SaaS platforms that auto-process PSD uploads are especially vulnerable. The impact is localized to availability; no data confidentiality or integrity compromise occurs.

Affected systems

ImageMagick versions prior to 6.9.13-47 (legacy series) and 7.1.2-22 (current series) are affected. Any application or service embedding or invoking ImageMagick for image processing is potentially at risk if PSD file handling is enabled or if the application accepts PSD uploads from untrusted sources. This includes web frameworks with image processing extensions, GraphQL image transformation APIs, containerized image processing services, and automated content pipelines.

Exploitability

This vulnerability requires network access and no authentication (CVSS vector reflects AV:N, PR:N), making it exploitable by remote, unauthenticated attackers. However, exploitation requires the target service to (1) accept PSD file uploads or process PSD files from untrusted sources, and (2) have PSD decoding enabled in ImageMagick. The barrier to entry is low—crafting a malicious PSD is straightforward for attackers with basic file format knowledge. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, suggesting it has not yet been weaponized in the wild, though this does not imply it is difficult to exploit.

Remediation

Upgrade ImageMagick immediately: to version 6.9.13-47 or later for the legacy branch, or to version 7.1.2-22 or later for the current branch. If immediate patching is not feasible, temporarily disable PSD file processing by configuring ImageMagick's policy.xml to restrict or block the 'PS' and 'PSD' coders. Additionally, restrict image upload functionality to only necessary formats (e.g., PNG, JPEG) and validate file types on upload. Implement resource limits at the application or container level (memory/CPU caps) to mitigate the impact of resource exhaustion attacks.

Patch guidance

Verify the ImageMagick version on affected systems using 'identify -version' or 'convert -version'. Apply security updates for version 6.9.13-47 or later and 7.1.2-22 or later according to your distribution or package manager. For systems using containerized ImageMagick, rebuild images with the patched version and restart containers. Test the patched version with existing PSD processing workflows to ensure no regressions. If custom ImageMagick builds are in use, rebuild from source with the latest upstream code.

Detection guidance

Monitor ImageMagick process resource usage (memory, CPU) during normal operation to establish a baseline. Set alerts for anomalous spikes in resource consumption during image processing, particularly if correlated with PSD file uploads. Examine web server logs for unusual PSD file uploads (Content-Type: image/vnd.adobe.photoshop or .psd file extensions). Intrusion detection systems with payload inspection can flag oversized or malformed PSD structures. Enable audit logging in any application layer that processes image uploads. Collect and retain error logs from ImageMagick to identify decode failures or resource exhaustion events.

Why prioritize this

Although this vulnerability carries a MEDIUM CVSS score (5.3) reflecting its denial-of-service nature and low attack complexity, prioritization should account for operational context. Organizations that accept PSD uploads or process untrusted PSD files should treat this as high priority due to ease of exploitation and direct impact on service availability. Organizations that do not process PSD files can safely deprioritize. The lack of KEV listing suggests a lower real-world exploitation rate currently, but the low barrier to weaponization warrants proactive patching.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects a network-accessible vulnerability with no authentication required, resulting in availability loss. The attack complexity is low (AC:L), indicating no special conditions beyond crafting a malicious PSD file. Confidentiality and integrity are unaffected (C:N, I:N, A:L). The absence of scope change (S:U) keeps the impact confined to the target service. This score accurately represents a denial-of-service vector with practical exploitability but limited scope; however, the true risk to a given organization varies sharply based on whether PSD processing is in use.

Frequently asked questions

If we don't process PSD files, are we affected?

No. If your ImageMagick configuration or application explicitly disables PSD decoding, or if you do not accept PSD file uploads, this vulnerability does not apply to your systems. You can verify by checking ImageMagick's policy.xml or by testing with a benign PSD file in a controlled environment.

Can this vulnerability be exploited to steal data or modify images?

No. This vulnerability is limited to denial-of-service via resource exhaustion. It does not allow reading sensitive data, executing code, or modifying image content. All other security policies within ImageMagick continue to protect against those threats.

What is the difference between versions 6.9.13-47 and 7.1.2-22?

Version 6.9 is the legacy stable branch, while 7.1 is the current actively developed branch. Both receive security patches. You should upgrade to the appropriate patched version matching your current deployment. Check your package manager or vendor to determine which branch you are using.

If we apply a policy.xml workaround to block PSD decoding, do we still need to patch?

A policy-based workaround reduces immediate risk by preventing PSD processing, but patching is still recommended for long-term security posture and to avoid accidental re-enablement of PSD decoding. Patches address the root cause and maintain flexibility for future PSD processing needs.

This analysis is provided for informational and educational purposes. Security assessments should be tailored to your specific environment and threat model. Verify all patch version numbers and availability directly with ImageMagick release notes and your software vendor before deployment. The presence or absence of a vulnerability in CISA's Known Exploited Vulnerabilities catalog does not guarantee exploit code will or will not emerge; always treat published vulnerabilities as potentially exploitable. This page is current as of the source data publication date; check upstream sources for any updates or corrections. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).