CVE-2017-8291

HIGH KEV LAB

Ghostscript Type Confusion Arbitrary Command Execution

Title source: metasploit

Exploitation Summary

CVE-2017-8291 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 24, 2022. EIP tracks 6 public exploits from researchers including Metasploit, DaniilOrchikov, hkcfs, including a Metasploit module exploits/unix/fileformat/ghostscript_type_confusion.

AI-analyzed exploit summary This Metasploit module exploits a type confusion vulnerability in Ghostscript (CVE-2017-8291) to achieve arbitrary command execution. It generates a malicious EPS file that, when processed by Ghostscript, executes the embedded payload.

Description

Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/41955

View Code ZIP pw:eip

This Metasploit module exploits a type confusion vulnerability in Ghostscript (CVE-2017-8291) to achieve arbitrary command execution. It generates a malicious EPS file that, when processed by Ghostscript, executes the embedded payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ghostscript 9.21 and earlier

No auth needed

Prerequisites: Ghostscript installed on the target system · Ability to deliver the malicious EPS file to the target

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by DaniilOrchikov · poc

https://github.com/DaniilOrchikov/PIL-CVE-2017-8291

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2017-8291, demonstrating RCE in Python PIL/Pillow via GhostScript's EPS processing. The Flask app allows uploading a malicious EPS file disguised as a PNG, exploiting the GhostButt vulnerability to execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Python PIL/Pillow (with GhostScript dependency)

No auth needed

Prerequisites: GhostScript installed on the target system · Ability to upload files to the vulnerable application

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by hkcfs · remote

https://github.com/hkcfs/PIL-CVE-2017-8291

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2017-8291, exploiting a remote command execution vulnerability in Python's PIL (Pillow) module via GhostScript's sandbox bypass. The Flask app demonstrates the vulnerability by allowing EPS files disguised as PNGs to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Python PIL (Pillow) with GhostScript

No auth needed

Prerequisites: GhostScript installed on the target system · PIL/Pillow library in use · Ability to upload files to the target application

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by shun1403 · remote

https://github.com/shun1403/PIL-CVE-2017-8291-study

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2017-8291, demonstrating an RCE vulnerability in Python Imaging Library (PIL) due to improper file type handling. The exploit leverages GhostScript command injection via a maliciously crafted EPS file disguised as a PNG.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Python Imaging Library (PIL) with GhostScript integration

No auth needed

Prerequisites: Docker environment · GhostScript installed on target system · File upload functionality in target application

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by shun1403 · remote

https://github.com/shun1403/CVE-2017-8291

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2017-8291, demonstrating remote command execution via Python PIL/Pillow's handling of EPS files through GhostScript. The Flask app allows file uploads with extension checks bypassed by exploiting file header detection.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Python PIL/Pillow (with GhostScript dependency)

No auth needed

Prerequisites: GhostScript installed on the target system · Ability to upload files to the vulnerable application

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Atlassian Security Team, hdm · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb

View Code ZIP pw:eip

This Metasploit module exploits a type confusion vulnerability in Ghostscript (CVE-2017-8291) to achieve arbitrary command execution. It generates a malicious EPS file that triggers the vulnerability when processed by Ghostscript.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ghostscript versions 9.21 and earlier

No auth needed

Prerequisites: Ghostscript installed on the target system · Ability to deliver the malicious EPS file to the target

MITRE ATT&CK