CVE-2025-24293
Unknown Unknown - Not Provided
Command Injection via Unsafe Image Transformations in Active Storage

Publication date: 2026-01-30

Last updated on: 2026-02-02

Assigner: HackerOne

Description
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-24293
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
ruby_on_rails active_storage From 5.2.0 (inc) to 7.1.5.2 (exc)
ruby_on_rails active_storage 7.1.5.2
ruby_on_rails active_storage 7.2.2.2
ruby_on_rails active_storage 8.0.2.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-24293 is a critical vulnerability in Ruby on Rails' Active Storage component where certain image transformation methods allowed by default can be exploited to bypass safety measures. This enables potential command injection attacks if an application accepts arbitrary user input as transformation methods or parameters. Specifically, applications using Active Storage with the image_processing gem and mini_magick as the image processor are affected. Attackers can execute arbitrary commands remotely without privileges or user interaction by exploiting unsafe handling of user-supplied parameters in image transformations. [1]

Impact Analysis

This vulnerability can lead to severe impacts including unauthorized remote command execution on the affected system. It compromises the confidentiality, integrity, and availability of the application and underlying system. Attackers can exploit this flaw to run arbitrary commands without needing privileges or user interaction, potentially leading to full system compromise, data breaches, or service disruption. [1]

Detection Guidance

Detection involves identifying if your Ruby on Rails application uses Active Storage with the image_processing gem and mini_magick as the image processor, and if it accepts untrusted user input directly as image transformation methods or parameters. You can search your codebase for patterns like `<%= image_tag blob.variant(params[:t] => params[:v]) %>`. Additionally, monitoring logs for unusual command execution or image processing requests with suspicious parameters may help. There are no specific commands provided in the resources for detection. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading your Ruby on Rails Active Storage component to one of the fixed versions: 7.1.5.2, 7.2.2.2, or 8.0.2.1. If upgrading is not immediately possible, apply strict validation to all user-supplied transformation methods and parameters to ensure only safe values are accepted. Additionally, deploy a strong ImageMagick security policy to limit potential command injection risks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-24293. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart