{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-24293","assignerOrgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","state":"PUBLISHED","assignerShortName":"hackerone","dateReserved":"2025-01-17T01:00:07.458Z","datePublished":"2026-01-30T20:11:15.219Z","dateUpdated":"2026-02-02T14:47:12.620Z"},"containers":{"cna":{"descriptions":[{"lang":"en","value":"# Active Storage allowed transformation methods potentially unsafe\r\n\r\nActive Storage attempts to prevent the use of potentially unsafe image\r\ntransformation methods and parameters by default.\r\n\r\nThe default allowed list contains three methods allow for the circumvention\r\nof the safe defaults which enables potential command injection\r\nvulnerabilities in cases where arbitrary user supplied input is accepted as\r\nvalid transformation methods or parameters.\r\n\r\n\r\nImpact\r\n------\r\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.\r\n\r\nVulnerable code will look something similar to this:\r\n```\r\n<%= image_tag blob.variant(params[:t] => params[:v]) %>\r\n```\r\n\r\nWhere the transformation method or its arguments are untrusted arbitrary input.\r\n\r\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\r\n\r\n\r\n\r\nWorkarounds\r\n-----------\r\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.\r\n\r\nStrict validation of user supplied methods and parameters should be performed\r\nas well as having a strong [ImageMagick security\r\npolicy](https://imagemagick.org/script/security-policy.php) deployed.\r\n\r\nCredits\r\n-------\r\n\r\nThank you [lio346](https://hackerone.com/lio346) for reporting this!"}],"affected":[{"defaultStatus":"unaffected","vendor":"Rails","product":"activestorage","versions":[{"version":"5.2","status":"affected","lessThan":"5.*","versionType":"semver"},{"version":"7.0","status":"affected","lessThan":"7.1.5.2","versionType":"semver"},{"version":"8.0","status":"affected","lessThan":"7.0.2.1","versionType":"semver"}]}],"references":[{"url":"https://github.com/advisories/GHSA-r4mg-4433-c7g3"}],"metrics":[{"cvssV4_0":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.2,"baseSeverity":"CRITICAL"}}],"providerMetadata":{"orgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","shortName":"hackerone","dateUpdated":"2026-01-30T20:11:15.219Z"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-94","lang":"en","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-77","lang":"en","description":"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-02T14:45:32.482487Z","id":"CVE-2025-24293","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-02T14:47:12.620Z"}}]}}