CVE-2025-24293
Command Injection via Unsafe Image Transformations in Active Storage
Publication date: 2026-01-30
Last updated on: 2026-02-02
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruby_on_rails | active_storage | From 5.2.0 (inc) to 7.1.5.2 (exc) |
| ruby_on_rails | active_storage | 7.1.5.2 |
| ruby_on_rails | active_storage | 7.2.2.2 |
| ruby_on_rails | active_storage | 8.0.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-24293 is a critical vulnerability in Ruby on Rails' Active Storage component where certain image transformation methods allowed by default can be exploited to bypass safety measures. This enables potential command injection attacks if an application accepts arbitrary user input as transformation methods or parameters. Specifically, applications using Active Storage with the image_processing gem and mini_magick as the image processor are affected. Attackers can execute arbitrary commands remotely without privileges or user interaction by exploiting unsafe handling of user-supplied parameters in image transformations. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including unauthorized remote command execution on the affected system. It compromises the confidentiality, integrity, and availability of the application and underlying system. Attackers can exploit this flaw to run arbitrary commands without needing privileges or user interaction, potentially leading to full system compromise, data breaches, or service disruption. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your Ruby on Rails application uses Active Storage with the image_processing gem and mini_magick as the image processor, and if it accepts untrusted user input directly as image transformation methods or parameters. You can search your codebase for patterns like `<%= image_tag blob.variant(params[:t] => params[:v]) %>`. Additionally, monitoring logs for unusual command execution or image processing requests with suspicious parameters may help. There are no specific commands provided in the resources for detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading your Ruby on Rails Active Storage component to one of the fixed versions: 7.1.5.2, 7.2.2.2, or 8.0.2.1. If upgrading is not immediately possible, apply strict validation to all user-supplied transformation methods and parameters to ensure only safe values are accepted. Additionally, deploy a strong ImageMagick security policy to limit potential command injection risks. [1]