Matrix Media Repo Untrusted File Format Thumbnailing Vulnerability Invoking External Decoders

A vulnerability exists in Matrix Media Repo (MMR) versions prior to 1.3.8, allowing users to upload files that falsely claim to be SVG or JPEGXL. When these files are processed for thumbnails, they can trigger different decoders in ImageMagick. In certain ImageMagick installations, this could enable the execution of Ghostscript to decode the file, potentially leading to the execution of malicious code. Similarly, if MP4 thumbnailers are enabled, the issue could arise with the ffmpeg installation, exploiting the same flaw by uploading a file that pretends to be an MP4.

Impact

Exploitation of this vulnerability could lead to the execution of untrusted code through Ghostscript or ffmpeg, depending on the file type uploaded.

Remediation

Users are advised to upgrade to Matrix Media Repo version 1.3.8 or later. For those unable to upgrade, the SVG, JPEGXL, and MP4 thumbnail types can be disabled in the MMR configuration. Additionally, using containers or similar technologies can help mitigate the impact of vulnerabilities in external decoders like ImageMagick and ffmpeg.