Problem
On Debian-based images, install-php-extensions vips runs apt-get install libvips libvips-dev, which transitively pulls in:
libmagickcore-7.q16-10 (ImageMagick core)
libraw23t64 (camera RAW)
libopenexr-3-1-30 (HDR/VFX format)
libpoppler*, libjxl0.11, libnss3, libhdf5-310, libmatio13, libopenjp2-7, …
These come from Debian's choice to build libvips with --with-magick, --with-openexr, --with-libraw enabled. The bundled magick/openexr/libraw loaders are useful for reading exotic formats (camera RAW, EXR, etc.) but most PHP workloads using vips for web image manipulation (JPEG/PNG/WebP/HEIC/TIFF) never use them.
On the current php:8.5-fpm + Debian 13 (trixie) base image as of 2026-05, those transitive deps account for 5 CRITICAL CVEs with no fixed version available:
CVE-2026-20884, CVE-2026-24450, CVE-2026-24660 (libraw23t64)
CVE-2026-42216, CVE-2026-42217 (libopenexr-3-1-30)
Plus 25+ HIGH and 60+ MEDIUM that disappear with a slimmer libvips.
Proposed solution
Add IPE_VIPS_MINIMAL=1 (analogous to IPE_GD_WITHOUTAVIF=1). When set on Debian, instead of apt install libvips libvips-dev, the script builds libvips from the upstream tarball with the heavy loaders disabled, then builds pecl-vips against it.
Meson flags used in the PoC:
-Dmagick=disabled
-Dopenexr=disabled
-Dlibraw=disabled
-Dpoppler=disabled
-Dopenslide=disabled
-Dmatio=disabled
-Dnifti=disabled
-Dpdfium=disabled
-Dcfitsio=disabled
Working PoC
Two non-obvious points uncovered while building it:
- Meson installs to
/usr/local/lib/<triplet>/ by default; pkg-config doesn't search that path consistently across distros — pass --libdir=lib to force /usr/local/lib/.
- The generated
vips.pc lists Requires.private: referencing fftw3, libtiff-4, etc. Their .pc files only ship with the matching -dev packages. For dynamic linking of pecl-vips against an already-linked libvips.so, those .pc files aren't needed — but pkg-config fails if they're missing. Stripping the Requires.private: line from vips.pc works around this.
Measured impact
On a derivative php:8.5-fpm image:
| Variant |
Total vulns |
CRITICAL |
HIGH |
Image size |
| stock (apt libvips) |
1254 |
5 |
89 |
822 MB |
IPE_VIPS_MINIMAL=1 (PoC) |
974 |
0 |
56 |
798 MB |
Happy to open a PR if the design is acceptable.
Problem
On Debian-based images,
install-php-extensions vipsrunsapt-get install libvips libvips-dev, which transitively pulls in:libmagickcore-7.q16-10(ImageMagick core)libraw23t64(camera RAW)libopenexr-3-1-30(HDR/VFX format)libpoppler*,libjxl0.11,libnss3,libhdf5-310,libmatio13,libopenjp2-7, …These come from Debian's choice to build
libvipswith--with-magick,--with-openexr,--with-librawenabled. The bundled magick/openexr/libraw loaders are useful for reading exotic formats (camera RAW, EXR, etc.) but most PHP workloads using vips for web image manipulation (JPEG/PNG/WebP/HEIC/TIFF) never use them.On the current
php:8.5-fpm+ Debian 13 (trixie) base image as of 2026-05, those transitive deps account for 5 CRITICAL CVEs with no fixed version available:CVE-2026-20884,CVE-2026-24450,CVE-2026-24660(libraw23t64)CVE-2026-42216,CVE-2026-42217(libopenexr-3-1-30)Plus 25+ HIGH and 60+ MEDIUM that disappear with a slimmer libvips.
Proposed solution
Add
IPE_VIPS_MINIMAL=1(analogous toIPE_GD_WITHOUTAVIF=1). When set on Debian, instead ofapt install libvips libvips-dev, the script builds libvips from the upstream tarball with the heavy loaders disabled, then builds pecl-vips against it.Meson flags used in the PoC:
Working PoC
Two non-obvious points uncovered while building it:
/usr/local/lib/<triplet>/by default; pkg-config doesn't search that path consistently across distros — pass--libdir=libto force/usr/local/lib/.vips.pclistsRequires.private:referencingfftw3,libtiff-4, etc. Their.pcfiles only ship with the matching-devpackages. For dynamic linking of pecl-vips against an already-linkedlibvips.so, those.pcfiles aren't needed — but pkg-config fails if they're missing. Stripping theRequires.private:line fromvips.pcworks around this.Measured impact
On a derivative
php:8.5-fpmimage:IPE_VIPS_MINIMAL=1(PoC)Happy to open a PR if the design is acceptable.