CVE-2023-1289 is a medium-severity improper input validation vulnerability in Magick.NET-Q16-AnyCPU (nuget), affecting versions <= 12.3.0. It is fixed in 13.0.0.
Summary Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS. Operating system, version and so on Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara) Tested ImageMagick version 6.9.11-60, 7.1.0-62 Details A specially created SVG file that loads by itself and make segmentation fault. Remote attackers can take advantage of this vulnerability to cause a denial of service of the generated SVG file. It seems that this error affects a lot of websites and causes a generating trash files in /tmp when uploading this PC file to the server. I think it's better to check the file descriptor coming from itself before executing read(). PoC Generate SVG file: Run some commands for verification: Impact Possible DOS, because when ImageMagick crashes it generates a lot of trash files. This trash file can be large, if SVG file contains many render action. Additional impact In DOS attack if remount attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. This means that if an attacker uploads a 100 M SVG, the server will generate about 10 G. Example: P. S. If ImageMagick will work in Docker container this attack will crash server where docker running. Because the size of the docker container will increase.
The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.
CVE-2023-1289 has a CVSS score of 5.5 (Medium). The vector is requires local access, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (13.0.0). Upgrading removes the vulnerable code path.
nuget
Magick.NET-Q16-AnyCPU (<= 12.3.0)Magick.NET-Q16-HDRI-AnyCPU (<= 12.3.0)Magick.NET-Q16-HDRI-OpenMP-arm64 (<= 12.3.0)Magick.NET-Q16-HDRI-arm64 (<= 12.3.0)Magick.NET-Q16-HDRI-x64 (<= 12.3.0)Magick.NET-Q16-HDRI-x86 (<= 12.3.0)Magick.NET-Q16-OpenMP-arm64 (<= 12.3.0)Magick.NET-Q16-OpenMP-x64 (<= 12.3.0)Magick.NET-Q16-OpenMP-x86 (<= 12.3.0)Magick.NET-Q16-arm64 (<= 12.3.0)Magick.NET-Q16-x64 (<= 12.3.0)Magick.NET-Q16-x86 (<= 12.3.0)Magick.NET-Q16-HDRI-OpenMP-x64 (<= 12.3.0)Magick.NET-Q8-AnyCPU (<= 12.3.0)Magick.NET-Q8-OpenMP-arm64 (<= 12.3.0)Magick.NET-Q8-OpenMP-x64 (<= 12.3.0)Magick.NET-Q8-arm64 (<= 12.3.0)Magick.NET-Q8-x64 (<= 12.3.0)Magick.NET-Q8-x86 (<= 12.3.0)Magick.NET-Q16-AnyCPU → 13.0.0 (nuget)Magick.NET-Q16-HDRI-AnyCPU → 13.0.0 (nuget)Magick.NET-Q16-HDRI-OpenMP-arm64 → 13.0.0 (nuget)Magick.NET-Q16-HDRI-arm64 → 13.0.0 (nuget)Magick.NET-Q16-HDRI-x64 → 13.0.0 (nuget)Magick.NET-Q16-HDRI-x86 → 13.0.0 (nuget)Magick.NET-Q16-OpenMP-arm64 → 13.0.0 (nuget)Magick.NET-Q16-OpenMP-x64 → 13.0.0 (nuget)Magick.NET-Q16-OpenMP-x86 → 13.0.0 (nuget)Magick.NET-Q16-arm64 → 13.0.0 (nuget)Magick.NET-Q16-x64 → 13.0.0 (nuget)Magick.NET-Q16-x86 → 13.0.0 (nuget)Magick.NET-Q16-HDRI-OpenMP-x64 → 13.0.0 (nuget)Magick.NET-Q8-AnyCPU → 13.0.0 (nuget)Magick.NET-Q8-OpenMP-arm64 → 13.0.0 (nuget)Magick.NET-Q8-OpenMP-x64 → 13.0.0 (nuget)Magick.NET-Q8-arm64 → 13.0.0 (nuget)Magick.NET-Q8-x64 → 13.0.0 (nuget)Magick.NET-Q8-x86 → 13.0.0 (nuget)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2023-1289 is reachable in your applications. Explore open-source security for your team.
See if CVE-2023-1289 is reachable in your applications. Get a demo
Upgrade the following packages to resolve this vulnerability:
Magick.NET-Q16-AnyCPU to 13.0.0 or laterMagick.NET-Q16-HDRI-AnyCPU to 13.0.0 or laterMagick.NET-Q16-HDRI-OpenMP-arm64 to 13.0.0 or laterMagick.NET-Q16-HDRI-arm64 to 13.0.0 or laterMagick.NET-Q16-HDRI-x64 to 13.0.0 or laterMagick.NET-Q16-HDRI-x86 to 13.0.0 or laterMagick.NET-Q16-OpenMP-arm64 to 13.0.0 or laterMagick.NET-Q16-OpenMP-x64 to 13.0.0 or laterMagick.NET-Q16-OpenMP-x86 to 13.0.0 or laterMagick.NET-Q16-arm64 to 13.0.0 or laterMagick.NET-Q16-x64 to 13.0.0 or laterMagick.NET-Q16-x86 to 13.0.0 or laterMagick.NET-Q16-HDRI-OpenMP-x64 to 13.0.0 or laterMagick.NET-Q8-AnyCPU to 13.0.0 or laterMagick.NET-Q8-OpenMP-arm64 to 13.0.0 or laterMagick.NET-Q8-OpenMP-x64 to 13.0.0 or laterMagick.NET-Q8-arm64 to 13.0.0 or laterMagick.NET-Q8-x64 to 13.0.0 or laterMagick.NET-Q8-x86 to 13.0.0 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2023-1289 is a medium-severity improper input validation vulnerability in Magick.NET-Q16-AnyCPU (nuget), affecting versions <= 12.3.0. It is fixed in 13.0.0. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
CVE-2023-1289 has a CVSS score of 5.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
Magick.NET-Q16-AnyCPU (nuget) (versions <= 12.3.0)Magick.NET-Q16-HDRI-AnyCPU (nuget) (versions <= 12.3.0)Magick.NET-Q16-HDRI-OpenMP-arm64 (nuget) (versions <= 12.3.0)Magick.NET-Q16-HDRI-arm64 (nuget) (versions <= 12.3.0)Magick.NET-Q16-HDRI-x64 (nuget) (versions <= 12.3.0)Magick.NET-Q16-HDRI-x86 (nuget) (versions <= 12.3.0)Magick.NET-Q16-OpenMP-arm64 (nuget) (versions <= 12.3.0)Magick.NET-Q16-OpenMP-x64 (nuget) (versions <= 12.3.0)Magick.NET-Q16-OpenMP-x86 (nuget) (versions <= 12.3.0)Magick.NET-Q16-arm64 (nuget) (versions <= 12.3.0)Magick.NET-Q16-x64 (nuget) (versions <= 12.3.0)Magick.NET-Q16-x86 (nuget) (versions <= 12.3.0)Magick.NET-Q16-HDRI-OpenMP-x64 (nuget) (versions <= 12.3.0)Magick.NET-Q8-AnyCPU (nuget) (versions <= 12.3.0)Magick.NET-Q8-OpenMP-arm64 (nuget) (versions <= 12.3.0)Magick.NET-Q8-OpenMP-x64 (nuget) (versions <= 12.3.0)Magick.NET-Q8-arm64 (nuget) (versions <= 12.3.0)Magick.NET-Q8-x64 (nuget) (versions <= 12.3.0)Magick.NET-Q8-x86 (nuget) (versions <= 12.3.0)Yes. CVE-2023-1289 is fixed in 13.0.0. Upgrade to this version or later.
Whether CVE-2023-1289 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Magick.NET-Q16-AnyCPU to 13.0.0 or laterMagick.NET-Q16-HDRI-AnyCPU to 13.0.0 or laterMagick.NET-Q16-HDRI-OpenMP-arm64 to 13.0.0 or laterMagick.NET-Q16-HDRI-arm64 to 13.0.0 or laterMagick.NET-Q16-HDRI-x64 to 13.0.0 or laterMagick.NET-Q16-HDRI-x86 to 13.0.0 or laterMagick.NET-Q16-OpenMP-arm64 to 13.0.0 or laterMagick.NET-Q16-OpenMP-x64 to 13.0.0 or laterMagick.NET-Q16-OpenMP-x86 to 13.0.0 or laterMagick.NET-Q16-arm64 to 13.0.0 or laterMagick.NET-Q16-x64 to 13.0.0 or laterMagick.NET-Q16-x86 to 13.0.0 or laterMagick.NET-Q16-HDRI-OpenMP-x64 to 13.0.0 or laterMagick.NET-Q8-AnyCPU to 13.0.0 or laterMagick.NET-Q8-OpenMP-arm64 to 13.0.0 or laterMagick.NET-Q8-OpenMP-x64 to 13.0.0 or laterMagick.NET-Q8-arm64 to 13.0.0 or laterMagick.NET-Q8-x64 to 13.0.0 or laterMagick.NET-Q8-x86 to 13.0.0 or later