A Critical Vulnerability in libvips: What ownCloud Users and Operators Need to Know
What is libvips, and why does it matter here?
You might not have installed it directly. It often arrives as a transitive dependency, something another package pulled in without it being obvious.
If you run oCIS upgrade to oCIS 8.0.4, or other tools that handle image processing, there’s a real chance libvips is somewhere in your stack.
The container problem
This is where it gets complicated for a lot of operators. Even if you’ve applied application-level fixes, your underlying container base image may still be running a vulnerable version of libvips. Alpine Linux, for instance, which is the base image for a huge proportion of containerized workloads in the cloud-native world, doesn’t yet (as of today, 26/05/28) carry a patched package version. That means patching at the OS package level isn’t currently an option if you’re on Alpine. Your environment may still be exposed even if everything at the application layer looks clean.
oCIS is already patched
What should you actually do right now?
If you’re an operator or sysadmin: update oCIS if you haven’t already, and audit your container base images for libvips. Don’t assume that an application-layer fix is enough if you’re running Alpine-based containers.
If you’re a developer: check whether libvips appears anywhere in your dependency tree, including indirectly. The vips binary or the libvips package in your container image are the things to look for.
If you’re a less technical user or manager: the short version is that ownCloud Infinite Scale has been patched, and your team should verify that your deployment is running the updated version. If you use a managed ownCloud hosting service, check in with your provider.
In the meantime, if you have questions or think you’ve found something related in your own environment, please reach out to the ownCloud security team.
