Skip to main content

Rails Active Storage CVE-2025-24293

CRITICAL
Command Injection (CWE-77)
2026-01-30 support@hackerone.com GHSA-r4mg-4433-c7g3
9.2
CVSS 4.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable RCE (C/I/A:H), but AC:H because exploitation depends on the non-default condition that the app forwards untrusted input into transformation methods; no attacker auth (PR:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 04:02 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:01 vuln.today
v4 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 04:00 vuln.today
Analysis Updated
Jun 30, 2026 - 04:00 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:23 NVD
9.2 (CRITICAL)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
CVE Published
Jan 30, 2026 - 21:15 nvd
N/A

DescriptionCVE.org

Active Storage allowed transformation methods potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.

Credits -------

Thank you lio346 for reporting this!

AnalysisAI

Command injection in Ruby on Rails Active Storage allows attackers to abuse a permissive default allow-list of image transformation methods, escaping the framework's safe-transformation guardrails when an application forwards untrusted input as the transformation method or its parameters. Three methods on the default allow-list can be used to circumvent the safe defaults and reach the underlying ImageMagick processor, enabling OS command injection (CVSS 4.0 9.2). No public exploit has been identified at time of analysis, and EPSS is low at 0.22% (44th percentile), but a vendor patch is available and the issue is RCE-class.

Technical ContextAI

Active Storage is the Ruby on Rails subsystem for file/attachment handling; image variants are produced through the image_processing gem backed by an image processor - here MiniMagick, which shells out to ImageMagick. To reduce risk, Active Storage maintains an allow-list of transformation methods and parameters considered safe. The root cause (CWE-77, Command Injection) is that the default allow-list includes three methods that let a caller circumvent those safe defaults and pass attacker-controlled values into ImageMagick command construction. The vulnerable pattern is application code that binds request parameters directly into a variant, e.g. blob.variant(params[:t] => params[:v]), so untrusted method names/arguments flow into the MiniMagick/ImageMagick invocation.

Affected ProductsAI

The affected product is Ruby on Rails, specifically the Active Storage component, when used together with the image_processing gem and the MiniMagick image processor (which invokes ImageMagick). Applications not using Active Storage variants, or not routing untrusted user input into transformation methods/parameters, are not exploitable. A fixed Rails release is available per the vendor advisory; exact patched version numbers are not present in the provided input data and should be read from the advisory. Primary references: the GitHub Security Advisory GHSA-r4mg-4433-c7g3 (https://github.com/advisories/GHSA-r4mg-4433-c7g3), Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2025-24293), Red Hat Bugzilla 2435565 (https://bugzilla.redhat.com/show_bug.cgi?id=2435565), and the Red Hat CSAF/VEX document (https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-24293.json).

RemediationAI

Patch available per vendor advisory: upgrade Rails to the fixed release indicated in GHSA-r4mg-4433-c7g3 (https://github.com/advisories/GHSA-r4mg-4433-c7g3), citing the exact patched version for your Rails series before deploying. Until you can upgrade, stop consuming user-supplied input for image transformation methods or their parameters entirely - this is unsupported behavior, so the most effective control is to never bind request params into blob.variant(...) and instead map user choices to a fixed server-side dictionary of vetted transformations (trade-off: a code change that removes dynamic transformation flexibility). Additionally, enforce strict allow-list validation of any method names and argument values, and deploy a hardened ImageMagick security policy (policy.xml per https://imagemagick.org/script/security-policy.php) to disable risky coders/delegates and constrain resources (trade-off: an overly strict policy can break legitimate image formats/operations, so test against your real workload first).

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 16.0 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected
openSUSE Leap 16.0 Affected
SUSE Linux Enterprise High Availability Extension 12 SP5 Not-Affected

Share

CVE-2025-24293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy