GHSA-R4MG-4433-C7G3
Vulnerability from github – Published: 2025-08-14 00:06 – Updated: 2026-01-31 03:54Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.
The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.
This has been assigned the CVE identifier CVE-2025-24293.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1
Impact
This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.
Vulnerable code will look something similar to this:
<%= image_tag blob.variant(params[:t] => params[:v]) %>
Where the transformation method or its arguments are untrusted arbitrary input.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.
Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.
Credits
Thank you lio346 from Unit 515 of OPSWAT for reporting this!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activestorage"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "activestorage"
},
"ranges": [
{
"events": [
{
"introduced": "7.2"
},
{
"fixed": "7.2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "activestorage"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "7.1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24293"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-14T00:06:00Z",
"nvd_published_at": "2026-01-30T21:15:55Z",
"severity": "CRITICAL"
},
"details": "Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.\n\nThe default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.\n\nThis has been assigned the CVE identifier CVE-2025-24293.\n\n\nVersions Affected: \u003e= 5.2.0\nNot affected: \u003c 5.2.0\nFixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1\n\nImpact\n------\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.\n\nVulnerable code will look something similar to this:\n\n```\n\u003c%= image_tag blob.variant(params[:t] =\u003e params[:v]) %\u003e\n```\n\nWhere the transformation method or its arguments are untrusted arbitrary input.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.\n\nStrict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed.\n\nCredits\n-------\n\nThank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this!",
"id": "GHSA-r4mg-4433-c7g3",
"modified": "2026-01-31T03:54:44Z",
"published": "2025-08-14T00:06:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24293"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r4mg-4433-c7g3"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Active Storage allowed transformation methods that were potentially unsafe"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.