What Is Artifex Ghostscript?
Ghostscript is the most widely deployed open-source PostScript and PDF interpreter, used by LibreOffice, CUPS (Linux printing), ImageMagick, many document conversion pipelines, and web applications that process uploaded PDFs and images. The -dSAFER flag is Ghostscript's sandbox mechanism — intended to prevent PostScript programs from accessing the filesystem or executing OS commands. Ghostscript's deep integration in document processing pipelines means that a bypass of -dSAFER allows attackers to execute arbitrary OS commands by submitting a crafted PostScript or EPS file to any service that passes it to Ghostscript — which includes any service using ImageMagick to process uploaded images.
Overview
CVE-2017-8291 is a type confusion vulnerability in Ghostscript that allows an attacker to bypass the -dSAFER sandbox restriction and execute arbitrary OS commands. The vulnerability is in the .rsdparams PostScript operator — when called with a /OutputFile parameter, a type confusion in the operator's argument handling allows escape from the sandbox. Fixed in Ghostscript 9.21. Because Ghostscript processes PostScript from EPS files embedded in documents and images, CVE-2017-8291 can be triggered by submitting malicious files to any application using ImageMagick, LibreOffice, or other Ghostscript-calling software. CISA added CVE-2017-8291 to the KEV catalog in May 2022.
Affected Versions
| Version | Status |
|---|---|
| Ghostscript before 9.21 | Vulnerable |
| Ghostscript 9.21 and later | Fixed |
Technical Details
Root Cause: Type Confusion in .rsdparams PostScript Operator
CVE-2017-8291 is a type confusion vulnerability (CWE-843) in Ghostscript's PostScript interpreter. The .rsdparams operator normally handles raster source dictionary parameters. When called with a crafted /OutputFile parameter, a type mismatch causes the interpreter to access the parameter as a different type than expected — allowing the attacker to redirect output to a path that triggers execution or to use PostScript operators (exec, run) that should be blocked by -dSAFER.
Practical exploitation via ImageMagick:
Many web applications use ImageMagick to resize and convert uploaded images. ImageMagick calls Ghostscript when processing EPS (Encapsulated PostScript) files. Uploading a malicious .eps file to a site using ImageMagick triggers Ghostscript processing with the attacker's PostScript — and CVE-2017-8291 allows bypassing the -dSAFER sandbox, executing arbitrary commands with the web application's process privileges.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local (AV:L) — requires user to open/process malicious file |
| User Interaction | Required — file must be processed |
| Impact | OS command execution as the process running Ghostscript |
| Typical Vector | ImageMagick image upload processing pipelines |
Exploitation Context
- ImageMagick weaponization: Any web application accepting EPS/PS/PDF files and processing them with ImageMagick (which calls Ghostscript) is exploitable; this includes image upload features on CMSes, document conversion services, and media processing pipelines
- Document processing chains: Office suites (LibreOffice), print spoolers (CUPS), and document conversion tools that process PostScript are vulnerable; a malicious document sent to a print queue can trigger exploitation
- Persistent Ghostscript vulnerability class: Ghostscript's
-dSAFERsandbox has been bypassed by multiple CVEs (2016-7978, 2017-8291, 2018-16509, 2019-6116); the same pattern of sandbox escapes recurs with each Ghostscript version - CISA KEV (2022): Added May 24, 2022 reflecting continued exploitation of Ghostscript via document processing pipelines
Remediation
-
Upgrade Ghostscript — update to Ghostscript 9.21 or later; use the OS package manager on Linux (
apt upgrade ghostscriptoryum update ghostscript); note that many subsequent Ghostscript CVEs exist — upgrade to the latest available version. -
Disable EPS/PS processing in ImageMagick — if complete Ghostscript upgrade is not immediately possible, restrict ImageMagick from processing PostScript formats; add to ImageMagick's
policy.xml:<policy domain="coder" rights="none" pattern="EPS" /> <policy domain="coder" rights="none" pattern="PS" /> <policy domain="coder" rights="none" pattern="PS2" /> <policy domain="coder" rights="none" pattern="PS3" /> -
Validate uploaded file types — web applications accepting file uploads should validate that uploaded files are the expected type; reject PostScript, EPS, and PDF files if not required for the application's function.
-
Run Ghostscript in a container/sandbox — process untrusted documents in an isolated container with restricted filesystem access and no network connectivity; limit the blast radius of Ghostscript sandbox bypasses.
-
Monitor for unexpected process spawning — alert on Ghostscript or ImageMagick spawning unexpected child processes (shells, wget, curl) which may indicate exploitation of CVE-2017-8291 or similar Ghostscript vulnerabilities.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-8291 |
| Vendor / Product | Artifex — Ghostscript |
| NVD Published | 2017-04-27 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-843 — Access of Resource Using Incompatible Type ('Type Confusion') find similar ↗ |
| CISA KEV Added | 2022-05-24 |
| CISA KEV Deadline | 2022-06-14 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-04-06 | CVE-2017-8291 reported; Ghostscript 9.21 released patching the -dSAFER bypass |
| 2017-04-27 | CVE-2017-8291 published by NVD |
| 2022-05-24 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-06-14 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-8291 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Ghostscript Bug 697808 — CVE-2017-8291 .rsdparams type confusion | Vendor Advisory |