Rails Active Storage CVE-2025-24293
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable RCE (C/I/A:H), but AC:H because exploitation depends on the non-default condition that the app forwards untrusted input into transformation methods; no attacker auth (PR:N).
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
Active Storage allowed transformation methods potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.
The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.
Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.
Vulnerable code will look something similar to this:
<%= image_tag blob.variant(params[:t] => params[:v]) %>Where the transformation method or its arguments are untrusted arbitrary input.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.
Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.
Credits -------
Thank you lio346 for reporting this!
AnalysisAI
Command injection in Ruby on Rails Active Storage allows attackers to abuse a permissive default allow-list of image transformation methods, escaping the framework's safe-transformation guardrails when an application forwards untrusted input as the transformation method or its parameters. Three methods on the default allow-list can be used to circumvent the safe defaults and reach the underlying ImageMagick processor, enabling OS command injection (CVSS 4.0 9.2). No public exploit has been identified at time of analysis, and EPSS is low at 0.22% (44th percentile), but a vendor patch is available and the issue is RCE-class.
Technical ContextAI
Active Storage is the Ruby on Rails subsystem for file/attachment handling; image variants are produced through the image_processing gem backed by an image processor - here MiniMagick, which shells out to ImageMagick. To reduce risk, Active Storage maintains an allow-list of transformation methods and parameters considered safe. The root cause (CWE-77, Command Injection) is that the default allow-list includes three methods that let a caller circumvent those safe defaults and pass attacker-controlled values into ImageMagick command construction. The vulnerable pattern is application code that binds request parameters directly into a variant, e.g. blob.variant(params[:t] => params[:v]), so untrusted method names/arguments flow into the MiniMagick/ImageMagick invocation.
Affected ProductsAI
The affected product is Ruby on Rails, specifically the Active Storage component, when used together with the image_processing gem and the MiniMagick image processor (which invokes ImageMagick). Applications not using Active Storage variants, or not routing untrusted user input into transformation methods/parameters, are not exploitable. A fixed Rails release is available per the vendor advisory; exact patched version numbers are not present in the provided input data and should be read from the advisory. Primary references: the GitHub Security Advisory GHSA-r4mg-4433-c7g3 (https://github.com/advisories/GHSA-r4mg-4433-c7g3), Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2025-24293), Red Hat Bugzilla 2435565 (https://bugzilla.redhat.com/show_bug.cgi?id=2435565), and the Red Hat CSAF/VEX document (https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-24293.json).
RemediationAI
Patch available per vendor advisory: upgrade Rails to the fixed release indicated in GHSA-r4mg-4433-c7g3 (https://github.com/advisories/GHSA-r4mg-4433-c7g3), citing the exact patched version for your Rails series before deploying. Until you can upgrade, stop consuming user-supplied input for image transformation methods or their parameters entirely - this is unsupported behavior, so the most effective control is to never bind request params into blob.variant(...) and instead map user choices to a fixed server-side dictionary of vetted transformations (trade-off: a code change that removes dynamic transformation flexibility). Additionally, enforce strict allow-list validation of any method names and argument values, and deploy a hardened ImageMagick security policy (policy.xml per https://imagemagick.org/script/security-policy.php) to disable risky coders/delegates and constrain resources (trade-off: an overly strict policy can break legitimate image formats/operations, so test against your real workload first).
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Availability Extension 12 SP5 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP4 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 12 SP4 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 15 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP1 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP2 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP3 | Not-Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP6 | Not-Affected |
| openSUSE Leap 15.3 | Not-Affected |
| openSUSE Leap 15.4 | Not-Affected |
| openSUSE Leap 15.5 | Not-Affected |
| openSUSE Leap 15.6 | Not-Affected |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-r4mg-4433-c7g3