{"id":79772,"date":"2026-05-28T21:31:05","date_gmt":"2026-05-28T21:31:05","guid":{"rendered":"https:\/\/owncloud.com\/?p=79772"},"modified":"2026-05-28T21:31:05","modified_gmt":"2026-05-28T21:31:05","slug":"a-critical-vulnerability-in-libvips-what-owncloud-users-and-operators-need-to-know","status":"publish","type":"post","link":"https:\/\/owncloud.com\/de\/blogs\/a-critical-vulnerability-in-libvips-what-owncloud-users-and-operators-need-to-know\/","title":{"rendered":"A Critical Vulnerability in libvips: What ownCloud Users and Operators Need to Know"},"content":{"rendered":"

A Critical Vulnerability in libvips: What ownCloud Users and Operators Need to Know<\/h1>\n
<\/div>\n
If you run ownCloud Infinite Scale (oCIS), or any infrastructure that processes images<\/strong>, there’s something you need to check today.<\/div>\n
The Kiteworks OSPO<\/a> and the ownCloud and Kiteworks security research teams<\/a> have identified a critical vulnerability in libvips, a widely used open source image processing library. We’re publishing this now as part of our commitment to transparency with the ownCloud community, and because we think you deserve to know promptly rather than waiting for the broader disclosure cycle to play out.<\/div>\n
<\/div>\n

What is libvips, and why does it matter here?<\/h2>\n
libvips is a fast, low-memory image processing library that shows up as a dependency in a surprisingly wide range of software.
\nYou might not have installed it directly. It often arrives as a transitive dependency, something another package pulled in without it being obvious.
\nIf you run oCIS upgrade to oCIS 8.0.4<\/a><\/span>, or other tools that handle image processing, there’s a real chance libvips is somewhere in your stack.<\/div>\n
The vulnerability carries an anticipated CVSS v3.1 score of 10.0. It hasn’t yet been assigned a CVE identifier, but a fix exists in libvips version 8.18.2 upstream<\/a>.<\/div>\n
<\/div>\n

The container problem<\/h2>\n
\n
\n

This is where it gets complicated for a lot of operators. Even if you’ve applied application-level fixes, your underlying container base image may still be running a vulnerable version of libvips<\/strong>. Alpine Linux,\u00a0for instance<\/span>, which is the base image for a huge proportion of containerized workloads in the cloud-native world, doesn’t yet (as of today, 26\/05\/28) carry a patched package version. That means patching at the OS package level isn’t currently an option if you’re on Alpine. Your environment may still be exposed even if everything at the application layer looks clean.<\/p>\n<\/div>\n

Please audit your infrastructure. Specifically, check the base images of any container workloads that might be pulling in libvips, directly or indirectly.<\/div>\n

oCIS is already patched<\/h2>\n
The good news is that ownCloud Infinite Scale has already addressed this at the application level<\/strong>\u00a0by using the community image of Alpine to build the latest version 8.0.4<\/a><\/span>.<\/div>\n
If you’re running oCIS, update to a version that includes this fix. If you’re not sure whether your deployment is current, this is a good moment to check.<\/div>\n
<\/div>\n
OpenCloud is a fork of ownCloud of ownCloud Infinite Scale<\/span>, and because we share a significant portion of the same codebase, vulnerabilities that affect oCIS are often relevant to them as well. We reached out privately before publishing this post. That’s just how responsible disclosure works between projects with shared ancestry, especially within open source, and we sometimes overlook the respect and dedication this shows, as both our communities have done this for each other in the past.<\/div>\n<\/div>\n
\n

What should you actually do right now?<\/h2>\n
\n

If you’re an operator or sysadmin: update oCIS<\/a> if you haven’t already, and audit your container base images for libvips. Don’t assume that an application-layer fix is enough if you’re running Alpine-based containers.<\/p>\n<\/div>\n

\n

If you’re a developer: check whether libvips appears anywhere in your dependency tree, including indirectly. The\u00a0vips<\/code>\u00a0binary or the\u00a0libvips<\/code>\u00a0package in your container image are the things to look for.<\/p>\n<\/div>\n

\n

If you’re a less technical user or manager: the short version is that ownCloud Infinite Scale has been patched, and your team should verify that your deployment is running the updated version. If you use a managed ownCloud hosting service, check in with your provider.<\/p>\n<\/div>\n

We’ll share more details, including the CVE once it’s assigned, as the disclosure process moves forward.
\nIn the meantime, if you have questions or think you’ve found something related in your own environment, please reach out to the ownCloud security team<\/a>.<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The Kiteworks OSPO and the ownCloud and Kiteworks security research teams have identified a critical vulnerability in libvips.
\nIf you run ownCloud Infinite Scale (oCIS), or any infrastructure that processes images, please take note.
\nThe latest version of ownCloud Infinite scale has already addressed this issue on the application level.<\/p>\n","protected":false},"author":7,"featured_media":78665,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[509,344,621,339,354,360,44],"tags":[],"class_list":["post-79772","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infinite-scale","category-opensource","category-ospo","category-owncloud","category-release","category-security","category-updates"],"acf":[],"_links":{"self":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/79772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/comments?post=79772"}],"version-history":[{"count":4,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/79772\/revisions"}],"predecessor-version":[{"id":79777,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/79772\/revisions\/79777"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media\/78665"}],"wp:attachment":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media?parent=79772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/categories?post=79772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/tags?post=79772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}