CVE-2025-24293

CRITICAL EPSS 79.1%
Published Jan 30, 20265mo ago · Modified Jun 17, 20262w ago
9.2 CVSS 4.0
Critical
Find Similar
Published Jan 30, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!

CVSS Details

Base Score
9.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
79.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-77 Command Injection Injection
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

References 1

  • github.com https://github.com/advisories/GHSA-r4mg-4433-c7g3

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.