CVE-2025-24293
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Active Storage allowed transformation methods potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.
The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.
Impact
This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.
Vulnerable code will look something similar to this:
<%= image_tag blob.variant(params[:t] => params[:v]) %>
Where the transformation method or its arguments are untrusted arbitrary input.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.
Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.
Credits
Thank you lio346 for reporting this!
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Rails | activestorage | 5.2 < 5.* | affected |
| Rails | activestorage | 7.0 < 7.1.5.2 | affected |
| Rails | activestorage | 8.0 < 7.0.2.1 | affected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
activestorage: Code injection in Active Storage when used in conjunction with the image_processing gem
Additional References
- https://access.redhat.com/security/cve/CVE-2025-24293
- https://bugzilla.redhat.com/show_bug.cgi?id=2435565
- https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-24293.json
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.