Vulnerability of Magik.net

anonymous-edc · July 24, 2025, 4:57pm

Hello!

Since yesterday we have these warnings :

Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-vmhh-8rxq-fp9g [D:\jwrk\p11\workspace\p11-staging-main\J\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj] [dotnet build] ***\J\Engine\Source\Programs\AutomationTool\Gauntlet\Gauntlet.Automation.csproj : error NU1903: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-vmhh-8rxq-fp9g [***\J\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj] [dotnet build] Build FAILED. [dotnet build] ***\J\Engine\Source\Programs\AutomationTool\AutomationUtils\AutomationUtils.Automation.csproj : error NU1903: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-vmhh-8rxq-fp9g [***\J\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj] [dotnet build] ***\J\Engine\Source\Programs\AutomationTool\Gauntlet\Gauntlet.Automation.csproj : error NU1903: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-vmhh-8rxq-fp9g [***\J\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj]I updated :

/Engine/Source/Programs/AutomationTool/AutomationTool.csproj

/Engine/Source/Programs/AutomationTool/AutomationUtils/AutomationUtils.Automation.csproj

/Engine/Source/Programs/AutomationTool/Gauntlet/Gauntlet.Automation.csproj

To use Magik.net 14.7

Is it something that you are going to do to prevent thse warnings?

Thanks!

anonymous-edc · July 24, 2025, 4:57pm

Steps to Reproduce
Compile the 5.6.0 engine

Patrick_Laflamme · July 24, 2025, 5:26pm

Hi,

Thanks for reporting, we also upgraded it today, CL 44305997 (https://github.com/EpicGames/UnrealEngine/commit/a967190c4caee9dedc834d89f3c322cc356d6f30\) on UE5/Main and it was merged to UE 5.6 at CL 44311406. You can probably keep your fix as it looks like the one we did.

Regards,

Patrick

anonymous-edc · July 24, 2025, 5:35pm

Thanks a lot [mention removed] for the quick answer and the quick fix!

WIll it be integrated in 5.6.1?

Patrick_Laflamme · July 24, 2025, 5:37pm

Yes, it will be part of 5.6.1.

anonymous-edc · July 24, 2025, 5:42pm

Thanks again!

Do you know or can you say when 5.6.1 will be released?

(I integrated your fix to have the same as you have)

Patrick_Laflamme · July 24, 2025, 5:57pm

The 5.6.1 is scheduled to be out somewhere in middle of August 2025. Sometime the date shifts, but that’s what I know today.

anonymous-edc · July 24, 2025, 6:01pm

Thanks a lot!

Much appreciated!

You can close the case!

Moddtoulder · August 26, 2025, 2:00pm

Had to bump to 14.8 on 5.6.1: ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree · CVE-2025-55160 · GitHub Advisory Database · GitHub

saurabhs · August 30, 2025, 8:45am

MagickNET 14.8.0 also has high severity (CVE), 14.8.1 works

spvnn · September 11, 2025, 2:37am

How do I bump up the version of this dependency?

EDIT: Nevermind found the knowledge base article:

Dayaern · October 24, 2025, 8:29am

Updating the affected components to 14.8.1 (inside NuGet package manager of VS Studio) fixed it for me. Much appreciated.

Kirsten · October 31, 2025, 9:01am

Above worked for us until now. We get the same issue with 14.8.1
error NU1902: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.8.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-9pp9-cfwx-54rm
[…\Engine\Saved\CsTools\Engine\Source\Programs\AutomationTool\Android\Android.Automation.csproj]

edit: I bumped the version to 14.9.1 and it works again

Satcom_Goose · November 2, 2025, 10:48am

Is this not merged into 5.6.1? I still get the old 14.7.0 version during a clean git clone and build for UE5.6.1

BigBoss3.0.1 · December 26, 2025, 4:35pm

Same for me; i.e., a few months ago, I built 5.6.1 from source, and that release is still referencing Magick.NET-Q16-HDRI-AnyCPU version 14.7.0.

I solved the issue by disabling the warnings inside the PackageReference tags in AutomationTool.csproj, AutomationUtils.Automation.csproj, and Gauntlet.Automation.csproj; i.e., respectively, I used:

<PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.7.0">
  <NoWarn>$(NoWarn);NU1901;NU1902;NU1903</NoWarn>
</PackageReference>

<PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.7.0" PrivateAssets="all">
  <NoWarn>$(NoWarn);NU1901;NU1902;NU1903</NoWarn>
</PackageReference>

and

<PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.7.0" PrivateAssets="all">
  <NoWarn>$(NoWarn);NU1901;NU1902;NU1903</NoWarn>
</PackageReference>

Obviously, that’s not ideal because we are now only ignoring the vulnerability, but it does the trick if the goal is to continue using that package version.