FKIE_CVE-2025-24293

Vulnerability from fkie_nvd - Published: 2026-01-30 21:15 - Updated: 2026-02-04 16:34
Severity ?
9.2 (Critical) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!
References
support@hackerone.comhttps://github.com/advisories/GHSA-r4mg-4433-c7g3
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "# Active Storage allowed transformation methods potentially unsafe\r\n\r\nActive Storage attempts to prevent the use of potentially unsafe image\r\ntransformation methods and parameters by default.\r\n\r\nThe default allowed list contains three methods allow for the circumvention\r\nof the safe defaults which enables potential command injection\r\nvulnerabilities in cases where arbitrary user supplied input is accepted as\r\nvalid transformation methods or parameters.\r\n\r\n\r\nImpact\r\n------\r\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.\r\n\r\nVulnerable code will look something similar to this:\r\n```\r\n\u003c%= image_tag blob.variant(params[:t] =\u003e params[:v]) %\u003e\r\n```\r\n\r\nWhere the transformation method or its arguments are untrusted arbitrary input.\r\n\r\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\r\n\r\n\r\n\r\nWorkarounds\r\n-----------\r\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.\r\n\r\nStrict validation of user supplied methods and parameters should be performed\r\nas well as having a strong [ImageMagick security\r\npolicy](https://imagemagick.org/script/security-policy.php) deployed.\r\n\r\nCredits\r\n-------\r\n\r\nThank you [lio346](https://hackerone.com/lio346) for reporting this!"
    },
    {
      "lang": "es",
      "value": "# M\u00e9todos de transformaci\u00f3n permitidos de Active Storage potencialmente inseguros\n\nActive Storage intenta prevenir el uso de m\u00e9todos y par\u00e1metros de transformaci\u00f3n de imagen potencialmente inseguros por defecto.\n\nLa lista de permitidos por defecto contiene tres m\u00e9todos que permiten la elusi\u00f3n de los valores seguros por defecto, lo que habilita potenciales vulnerabilidades de inyecci\u00f3n de comandos en casos donde la entrada arbitraria suministrada por el usuario es aceptada como m\u00e9todos o par\u00e1metros de transformaci\u00f3n v\u00e1lidos.\n\nImpacto\n------\nEsta vulnerabilidad impacta a las aplicaciones que usan Active Storage con la gema de procesamiento image_processing adem\u00e1s de mini_magick como procesador de im\u00e1genes.\n\nEl c\u00f3digo vulnerable se ver\u00e1 similar a esto:\n```\n\u0026lt;%= image_tag blob.variant(params[:t] =\u0026gt; params[:v]) %\u0026gt;\n```\n\nDonde el m\u00e9todo de transformaci\u00f3n o sus argumentos son entrada arbitraria no confiable.\n\nTodos los usuarios que ejecutan una versi\u00f3n afectada deber\u00edan actualizar o usar una de las soluciones alternativas inmediatamente.\n\nSoluciones alternativas\n-----------\nEl consumo de la entrada suministrada por el usuario para m\u00e9todos de transformaci\u00f3n de imagen o sus par\u00e1metros es un comportamiento no soportado y deber\u00eda considerarse peligroso.\n\nSe deber\u00eda realizar una validaci\u00f3n estricta de los m\u00e9todos y par\u00e1metros suministrados por el usuario, as\u00ed como tener una [pol\u00edtica de seguridad de ImageMagick](https://imagemagick.org/script/security-policy.php) robusta desplegada.\n\nCr\u00e9ditos\n-------\n\n\u00a1Gracias a [lio346](https://hackerone.com/lio346) por reportar esto!"
    }
  ],
  "id": "CVE-2025-24293",
  "lastModified": "2026-02-04T16:34:21.763",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "support@hackerone.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-30T21:15:55.677",
  "references": [
    {
      "source": "support@hackerone.com",
      "url": "https://github.com/advisories/GHSA-r4mg-4433-c7g3"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        },
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.