Wiz
Vulnerability DatabaseCVE-2024-56515

CVE-2024-56515
Linux openSUSE vulnerability analysis and mitigation

Overview

Matrix Media Repo (MMR), a highly configurable multi-homeserver media repository for Matrix, was found to have a vulnerability (CVE-2024-56515) disclosed on January 16, 2025. The vulnerability affects versions prior to 1.3.8, where if SVG or JPEGXL thumbnailers are enabled (disabled by default), users could upload files claiming to be these types and request thumbnails to invoke different decoders in ImageMagick, potentially leading to unauthorized code execution (GitHub Advisory).

Technical details

The vulnerability stems from the way MMR handles thumbnail generation for certain file types. When processing SVG or JPEGXL files, the system could invoke ImageMagick decoders, which in some installations includes the capability to run Ghostscript for image decoding. Similarly, for MP4 thumbnailers, the issue could occur with ffmpeg installations. The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N, indicating network attack vector with low attack complexity (NVD).

Impact

The vulnerability could allow attackers to execute arbitrary code through ImageMagick's Ghostscript capabilities or ffmpeg installations when processing certain file types. While the vulnerable thumbnailers (SVG, JPEGXL, and MP4) are disabled by default, if enabled, they could lead to unauthorized code execution and potential system compromise (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in MMR v1.3.8, which now inspects the mimetype of media prior to thumbnailing and selects thumbnailers based on those results instead of relying on user-supplied values. For users unable to upgrade, it is recommended to disable SVG, JPEGXL, and MP4 thumbnail types in the MMR config. Additional security measures include using containers to limit the impact of vulnerabilities, disabling unsafe file types in ImageMagick, and compiling ffmpeg with limited decoders/codecs. The Docker image for MMR disables PDFs and similar formats by default (GitHub Release).

Additional resources

SourceThis report was generated using AI

Related Linux openSUSE vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-13470HIGH7.7
  • Linux DebianLinux Debian
  • rnp
NoYesNov 21, 2025
CVE-2025-61915MEDIUM6.7
  • OpenPrinting CUPSOpenPrinting CUPS
  • cups-devel
NoYesNov 29, 2025
CVE-2025-58436MEDIUM5.5
  • OpenPrinting CUPSOpenPrinting CUPS
  • cups-ipptool
NoYesNov 29, 2025
CVE-2025-9820N/AN/A
  • GnuTLSGnuTLS
  • gnutls-c++
NoYesNov 21, 2025
CVE-2025-13402N/AN/A
  • Linux FedoraLinux Fedora
  • rnp
NoYesNov 21, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo