- Description
- # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!
- Source
- support@hackerone.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-77
- Hype score
- Not currently trending
CVE-2025-24293 # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods a… https://t.co/WhWvx3pAok
@CVEnew
30 Jan 2026
142 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OPSWAT’s Unit 515 discovered a critical vulnerability (CVE-2025-24293) in Ruby on Rails Active Storage that could allow remote code execution in certain configurations. The research exposed a bypass of a previously patched CVE and contributed directly to the Rails security h
@OPSWAT
15 Sept 2025
123 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Rails CVE-2025-55193 및 CVE-2025-24293 분석 최근 공개된 Rails의 두 가지 주요 보안 취약점(CVE-2025-55193, CVE-2025-24293)에 대한 상세 분석 및 잠재적 악용 가능성을 다룹니다. #rails https://t.co/SOI56E803h
@rubynewskr
22 Aug 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Command Injection Vulnerability in Active Storage – CVE-2025-24293 ⚠️ Unsafe image transformations can allow attackers to execute commands. More info: https://t.co/HBBmu3rYVo #CyberSecurity #Vulnerability #ActiveStorage #DevSecOps #Vulert #Infosec #CommandI
@vulert_official
18 Aug 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes