---
title: ImageMagick vulnerability does not affect Paperclip
teaser: There is no need to upgrade Paperclip in light of CVE-2016–3714. You may choose
  to upgrade ImageMagick regardless.
tags: security,open source,paperclip,ruby
author: Tute Costa
published_on: 2016-05-04
---

> ### [UPDATE: Paperclip IS vulnerable to ImageTragick](paperclip-is-vulnerable-to-the-imagetragick-vulnerability)

Vulnerability CVE-2016–3714 in ImageMagick [was disclosed yesterday]. One of the
vulnerabilities can lead to remote code execution (RCE) when processing user
submitted images. See [ImageMagick’s disclosure]. See [related paperclip issue].
Updates and proof of concept will be available in [imagetragick.com].

The Paperclip gem makes use of ImageMagick. It verifies the files before sending
them to ImageMagick for processing. It does this by [checking the "magic bytes"]
in the file, using the `mimemagic` gem and the `file(1)` command. It has done
this since v4.3 ([commit]).

Paperclip versions 4.2.2 and newer don’t have known vulnerabilities (versions
earlier than 4.2.2 are [vulnerable to CVE-2015-2963]). There is no need to
upgrade Paperclip in light of CVE-2016–3714. You may choose to upgrade
ImageMagick regardless.

[ImageMagick’s disclosure]: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
[commit]: https://github.com/thoughtbot/paperclip/commit/2a0274d16b4c143f2948662455e2277d49888705
[checking the \"magic bytes\"]: https://github.com/thoughtbot/paperclip/blob/v4.3.6/lib/paperclip/content_type_detector.rb#L52-L56
[imagetragick.com]: https://imagetragick.com/
[related paperclip issue]: https://github.com/thoughtbot/paperclip/issues/2190
[vulnerable to CVE-2015-2963]: https://thoughtbot.com/blog/paperclip-security-release
[was disclosed yesterday]: https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247