Rails Active Storage: Unsafe Image Transformation Enabling Command Injection
CVE-2025-24293 Published on January 30, 2026

# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!

Github Repository NVD

Vulnerability Analysis

CVE-2025-24293 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2025-24293 has been classified to as a Code Injection vulnerability or weakness.

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2025-24293 has been classified to as a Command Injection vulnerability or weakness.

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2025-24293 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2025-24293

stack.watch emails you whenever new vulnerabilities are published in Red Hat 3scale Amp or Red Hat Satellite. Just hit a watch button to start following.

 
 

Affected Versions

Rails activestorage: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat 3scale API Management Platform 2: Red Hat Satellite 6: Red Hat Satellite 6:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-24293

Package Manager Vulnerable Package Versions Fixed In
rubygems activestorage >= 8.0, < 8.0.2.1 8.0.2.1
rubygems activestorage >= 7.2, < 7.2.2.2 7.2.2.2
rubygems activestorage >= 5.20, < 7.1.5.2 7.1.5.2

Exploit Probability

EPSS
2.39%
Percentile
82.06%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.