CVE-2023-36664 is a command-injection vulnerability in Ghostscript (Artifex's interpreter for PostScript and PDF), rated CVSS v3.1 9.8 (Critical) by NVD. Ghostscript mishandled permission validation for pipe devices, so a document containing a filename beginning with the pipe prefix could cause the interpreter to execute an operating-system command. Because Ghostscript is quietly embedded in a long list of document- and image-processing tools, a single crafted file could reach it through software the victim never associated with PostScript at all.
Timeline and impact
The vulnerability was disclosed on June 25, 2023 and affects Ghostscript versions through 10.01.1, with the fix landing in 10.01.2. The reason it mattered so much is Ghostscript's position as invisible infrastructure: it renders and converts files behind the scenes for LibreOffice, Inkscape, Scribus, ImageMagick, and numerous PDF and print pipelines. A user who opens an innocent-looking document, or a server that auto-processes an uploaded image, can invoke Ghostscript without any awareness that they have done so. That indirection is what turned a parser permission bug into a broad remote-code-execution concern, and proof-of-concept exploits appeared quickly after disclosure.
This was not Ghostscript's first sandbox-escape rodeo, and that history is the point. The interpreter is powerful by design — PostScript is a full programming language, and Ghostscript can touch the filesystem and spawn external devices — so Artifex introduced the -dSAFER mode to constrain what untrusted documents may do, and eventually made it the default. Yet a recurring class of CVEs, CVE-2023-36664 among them, has come from gaps in exactly that guard rail: a path or device that the sandbox was supposed to forbid but did not fully validate. Any organization that renders untrusted documents server-side should therefore treat Ghostscript as a component that will need patching again, and build its detection and update process around that expectation rather than reacting anew each time.
Technical root cause
Ghostscript can direct output to various "devices," and among them is the ability to send data to an external program through a pipe. This is expressed with a special filename syntax — a name prefixed with %pipe%, or in some contexts a leading | (pipe) character — where the remainder of the name is treated as a command to run.
Ghostscript is supposed to gate access to such powerful devices behind its permission/path-validation logic (the -dSAFER sandbox and related checks are meant to prevent untrusted documents from reaching them). CVE-2023-36664 is a flaw in that validation: the handling of pipe-device filenames did not correctly enforce the permission checks, so a filename crafted to open a pipe device slipped past the guard. A malicious PostScript or EPS document could therefore specify an output filename that Ghostscript interpreted as "run this command."
Conceptually, the malicious content resembles this:
%!PS
% A crafted operation that opens an output filename beginning with
% the pipe prefix, which Ghostscript treats as a command to execute:
(%pipe%id) (w) file
When the interpreter processes the file, it opens the "pipe device," and the text after the prefix — here id, but in a real attack a reverse shell or payload download — is executed by the shell with the privileges of the process running Ghostscript. Delivery is the dangerous part: the payload can be embedded in an EPS embedded in another document, or in an image handed to a server-side conversion pipeline, so the victim need only open or upload a file.
How to detect if you are affected
- Version check. Run
gs --version. Anything 10.01.1 or earlier is affected; 10.01.2 and later contain the fix. On distributions, compare against the vendor's patched package rather than the upstream string. - Find the indirect dependencies. The bigger risk is the Ghostscript you did not install directly — the copy bundled by or invoked from ImageMagick, document converters, print servers, and thumbnailing services. A search for the
gsbinary alone can miss a vendored or container-bundled copy. - Review server-side file-processing pipelines that accept user uploads (images, PDFs, PostScript) and pass them to any tool that shells out to Ghostscript.
Because Ghostscript so often arrives as a transitive or bundled component, manifest-only checks miss it. Safeguard's software composition analysis identifies the Ghostscript package and version wherever it appears, including inside container images and indirect dependencies.
Remediation and patched versions
- Upgrade Ghostscript to 10.01.2 or later (or your distribution's backported fix), which corrects the pipe-device permission validation.
- Patch the tools that embed it, since ImageMagick and similar tools may ship or depend on their own Ghostscript. Safeguard's container security scanning flags a vulnerable Ghostscript inside an image layer feeding a conversion service.
- Harden processing pipelines as defense in depth: run untrusted document conversion in a sandbox or minimal container with no outbound network and least privilege, so a bypass has nowhere to go.
- Re-scan after patching to confirm no bundled copy still ships the vulnerable version.
How Safeguard surfaces and auto-fixes CVE-2023-36664
Ghostscript is a textbook "invisible dependency" — a component that executes attacker-influenced input on behalf of software you think of as a document viewer or an image converter. Safeguard resolves your full dependency graph and inspects container image layers, so a Ghostscript bundled several hops behind an image-processing library is surfaced with the exact path to it rather than lost in a manifest gap. Findings are enriched with CISA KEV and EPSS context, so a critical, easily weaponized command-injection flaw is prioritized against the rest of your backlog.
Where a patched version exists, automated fix pull requests raise the upgrade against your manifests and image definitions and run your pipeline, and Griffin AI highlights which of your services actually feed untrusted files into Ghostscript versus those that merely have it installed. If you are comparing how tools handle these deep, bundled native components, our comparison against Snyk walks through the difference in detection depth.
A document that quietly ran a command is the whole story here: the risk lived in a component nobody was watching. Continuous, deep dependency visibility is what brings it into view.
Register at app.safeguard.sh/register, or read the documentation at docs.safeguard.sh.