Korea's KCSC mandates server-side image parsers

South Korea’s Korea Communications Standards Commission is pushing forum operators toward mandatory AI image scanning at every upload. The compliance target is illegal content detection at the point of ingest. The implementation is the problem. Forums that previously ran a multipart parser and a thumbnail generator now run a full ML pipeline behind it. The attack surface multiplied. The bug classes multiplied with it.

The regulatory frame says nothing about how the scanning is done. Operators integrate either a vendor API or an on-premises model. Both paths converge on the same architecture. HTTP upload, format detection, decode through libjpeg-turbo, libpng, libwebp or libvips, resize through ImageMagick or Pillow, normalize tensor, feed to a CNN or multimodal transformer, parse classification output, store. Each stage is a parser. Each parser has a bug history.

CVE-2023-4863 is the reference case. Heap buffer overflow in libwebp’s BuildHuffmanTable. CVSS v3 base 8.8. Exploited in the wild against Chrome before patch. The bug existed in code that millions of products linked - Electron, Signal, Slack, 1Password, every browser. A crafted WebP image triggered out-of-bounds writes to a heap-allocated Huffman table. Attacker-controlled bytes flowed into adjacent allocations. The exploit primitive was a constrained heap corruption that mature exploit dev turned into renderer RCE. Every forum mandated to scan WebP uploads now ingests attacker-controlled WebP into a server-side decoder. The class of bug did not end with the 2023 patch. libwebp ships in image stacks across every cloud preprocessing pipeline.

ImageMagick is worse. CVE-2016-3714, ImageTragick, command injection through MVG and SVG handlers. The decoder shelled out to ghostscript with attacker-controlled arguments. CVE-2022-44268 read arbitrary files through a malformed PNG tEXt chunk that ImageMagick wrote into PNG profiles on convert. The bug class is delegation handlers and policy.xml gaps. Forums that adopt ImageMagick for resize-before-inference inherit the entire delegate trust chain. MVG, SVG, PDF, PS - every format the binary accepts becomes part of the upload surface regardless of what the front-end claims to allow. CWE-78 in a process that runs under the same uid as the application server.

The decoder is the first vulnerability stratum. The model loader is the second. Operators self-hosting a scanning model load weights at process start. The most common formats are PyTorch .pt or .pth files and pickle archives. Pickle is arbitrary code execution by design. A maliciously constructed model file invokes reduce during unpickling and runs whatever Python the attacker writes. PyTorch’s torch.load is documented as unsafe against untrusted input. Recent CVEs have covered torch.load weights_only=True bypasses where tensor metadata still reached a code path with arbitrary callable resolution. Operators who fetched a censorship model from a public hub got exactly the trust model they did not check. ONNX is safer because protobuf parsing is structurally bounded, but the inference runtime has surface. ONNX Runtime CVE history includes parser overflows in shape inference and graph optimization passes.

The third stratum is the inference path. This is where forum operators stop reading documentation. A CNN or vision transformer ingests a normalized tensor. The normalization pipeline divides pixel values, casts to float32, sometimes pads or crops. A malicious uploader exploits two properties simultaneously. Adversarial perturbations evade the classifier. Crafted inputs trigger resource exhaustion in preprocessing.

Adversarial evasion is operationally proven. FGSM, PGD, and Carlini-Wagner attacks produce inputs that bypass classification with imperceptible perturbation budgets. A forum’s censorship model trained to detect category X will miss inputs that fall outside its trained distribution under adversarial pressure. The attacker who wants to publish prohibited content does not need to defeat the model conceptually. They need to defeat it in the L-infinity ball around any input. Off-the-shelf adversarial generation tools produce these in minutes against any white-box model and in hours against any black-box model with query access.

The censorship API is a black-box query oracle by design. Every operator integrates either Naver’s, Kakao’s, or a domestic vendor’s scanning API. The API returns a verdict per image. That verdict is a query. Repeated queries refine attacker estimates of the decision boundary. This is the standard query-based evasion model. The forum becomes the query interface. The operator pays per call.

Visual prompt injection applies when the scanning model is a multimodal LLM. CLIP-style models and successors decode text from image content. Rendering text inside an image instructing the model to override its classification has been demonstrated to flip verdicts on more than one public system. The text does not need to be human-readable. Steganographic patterns the vision encoder treats as tokens are sufficient. The class is MITRE ATLAS AML.T0051, prompt injection, applied through the image modality.

The fourth stratum is the API integration itself. Forums calling a vendor scanning endpoint construct multipart bodies with the uploaded image embedded. The endpoint URL, the auth header, and the request body are server-side state. Server-side request forgery enters when the forum allows URL-based image submission. Upload via URL is a feature most forum software ships. The fetch happens server-side. The URL space the server can reach includes the cloud metadata endpoint at 169.254.169.254. The scanning API call now races against an attacker-controlled fetch that pulls IMDS credentials and pushes them into the next outbound request. T1606 territory. T1190 if the SSRF is the initial access vector.

SSRF against a censorship pipeline has a secondary path. The vendor scanning API expects an image URL or a base64 body. URL-based submission shifts fetch responsibility to the vendor. The vendor’s fetcher is now exploitable from the forum operator’s account. Cross-tenant fetch redirection has been the underlying class for multiple cloud SSRF disclosures in the past three years.

Container isolation is the assumed mitigation. Operators deploy scanning workers in containers under the assumption that decoder RCE is contained. The assumption is shallow. CVE-2024-0132 in NVIDIA Container Toolkit was a TOCTOU race that allowed container escape with mounted GPU access. ML inference workloads run with mounted GPU access by default. CVE-2022-0185 in the Linux kernel filesystem context was reachable by a container with CAP_SYS_ADMIN, which several ML container base images request for performance tuning. The chain runs: image upload, decoder RCE in worker, runtime or kernel CVE, host. Container is not sandbox in this stack.

Telemetry on this pipeline is sparse. Operators monitor the upload endpoint with WAF rules tuned for SQL injection and XSS. They do not have signatures for malformed WebP or ImageMagick policy violations. A decoder crash produces a SIGSEGV in the worker process and a 5xx at the gateway. Sysmon Event ID 1 on Windows shows the convert.exe or magick.exe process spawn. Event ID 7 may show unusual DLL loads if the delegate chain pulls ghostscript. On Linux, auditd records execve of the delegate binary. Forums running scanning in a container almost never wire auditd into the container runtime, so the execve is unobserved. The crash signal appears as a restart in the orchestrator log and nothing else.

EDR coverage on image processing workloads is weak. The workload pattern is benign by EDR heuristics. CPU spikes, memory allocations, network calls to a known vendor endpoint. The anomaly that matters is shell spawn from the image processing service account. CrowdStrike and SentinelOne both alert on bash or sh as a child of a Python worker, which is what an ImageMagick delegate exploit produces. The detection holds only if the worker is not already running as a shell-capable user. Many forum stacks run their Python workers under a user with /bin/bash as login shell because the container base image inherited it.

SIEM correlation that catches this requires three signals joined. Upload event with image content-type. Process spawn event with a shell binary as child of the image worker. Outbound network connection to a non-vendor endpoint within a 30-second window. Splunk and Elastic both express this as a transaction or correlation rule. Most forum operators do not ship process telemetry to a SIEM. The detection gap is structural.

The Korean operational context adds density. KCSC enforcement is being implemented at platform and forum layer simultaneously. Naver and Kakao-level platforms already operate domestic ML pipelines under their own engineering. Smaller forums lack the engineering capacity to evaluate parser CVE exposure independently. They adopt vendor SDKs without auditing the bundled libwebp, libpng, or ONNX Runtime version. SDK update cadence becomes the de facto patch cadence. Vendor patch delay becomes a synchronized national exposure window across thousands of operators.

The post-patch reality is that libwebp, libpng, libjpeg-turbo, ImageMagick, libvips, Pillow, OpenCV, PyTorch, ONNX Runtime, and the vendor SDKs in front of them all continue to receive CVEs. The mandate compounds patch velocity requirements across every operator in the jurisdiction simultaneously. A single CVE in the standard scanning stack produces a synchronized exposure window. The vendor APIs do not patch operator infrastructure. The operator does.

Residual exposure after every component patches is the policy layer. Censorship verdicts produce a binary admit-or-reject decision that flows into application logic. The verdict is trusted. Logic errors in how that verdict is consumed - caching the result, keying it to a content hash, allowing the same hash to pass multiple uploads, allowing partial uploads to bypass scanning, allowing a scanner timeout to fail open - produce the practical bypass. These defects are not in CVE databases. They are in operator code, written under compliance haste, deployed under regulatory deadline.

The mandate is a parser-and-policy expansion executed at jurisdictional scale. The bug classes are not new. The exposure multiplier is.