CVE-2025-24293
Description
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2:7.2.2.2+dfsg-2~deb13u1 |
| sid | Fixed | 2:7.2.2.2+dfsg-1 |
| forky | Fixed | 2:7.2.2.2+dfsg-1 |
| bullseye | Fixed | 2:6.0.3.7+dfsg-2+deb11u4 |
| bookworm | Fixed | 2:6.1.7.10+dfsg-1~deb12u2 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | activestorage | !< 5.20||<~> 7.1.5, >= 7.1.5.2 | ~> 7.1.5, >= 7.1.5.2 |
| RubyGems | activestorage | >=8.0,<8.0.2.1 | 8.0.2.1 |
| RubyGems | activestorage | >=7.2,<7.2.2.2 | 7.2.2.2 |
| RubyGems | activestorage | >=5.2.0,<7.1.5.2 | 7.1.5.2 |
References
- https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
- https://www.suse.com/security/cve/CVE-2025-24293.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-24293
- https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354
- https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce
- https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13
- https://github.com/advisories/GHSA-r4mg-4433-c7g3
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml
- https://security-tracker.debian.org/tracker/CVE-2025-24293
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.