---
title: Paperclip IS vulnerable to ImageTragick
teaser: Paperclip is affected by CVE-2016–3714 if used with ImageMagick 7.0.1-0 or
  earlier.
tags: security,open source,paperclip,ruby
author: Tute Costa
published_on: 2016-05-06
---

Two days ago [we announced] that paperclip was not affected by the
[ImageTragick](https://imagetragick.com/) vulnerability. Since then we learned
that paperclip _is_ affected by the ImageTragick vulnerability, and users of paperclip
should upgrade to ImageMagick 7.0.1-1 or newer, which includes the fix. Another
workaround is to [edit the policy](https://imagetragick.com/#policy) to disable
the vulnerable ImageMagick coders.

[we announced]: https://thoughtbot.com/blog/imagemagick-vulnerability-and-paperclip

If you deploy to Heroku’s Cedar-14 stack (check with the `heroku stack`
command), you [are already
protected](https://devcenter.heroku.com/changelog-items/891).

Thank you [Phill Sparks](https://github.com/sparksp) for [letting us
know](https://github.com/thoughtbot/paperclip/issues/2190#issuecomment-217451572).