GHSA-r4mg-4433-c7g3

Suggest an improvement
Source
https://github.com/advisories/GHSA-r4mg-4433-c7g3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-r4mg-4433-c7g3/GHSA-r4mg-4433-c7g3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-r4mg-4433-c7g3
Aliases
  • CVE-2025-24293
Published
2025-08-14T00:06:00Z
Modified
2025-08-21T22:05:18.806959Z
Severity
  • 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Active Storage allowed transformation methods that were potentially unsafe
Details

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

This has been assigned the CVE identifier CVE-2025-24293.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1

Impact

This vulnerability impacts applications that use Active Storage with the imageprocessing processing gem in addition to minimagick as the image processor.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.

Credits

Thank you lio346 from Unit 515 of OPSWAT for reporting this!

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-14T00:06:00Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-77"
    ]
}
References

Affected packages

RubyGems / activestorage

Package

Name
activestorage
Purl
pkg:gem/activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0
Fixed
8.0.2.1

Affected versions

8.*

8.0.0
8.0.0.1
8.0.1
8.0.2

RubyGems / activestorage

Package

Name
activestorage
Purl
pkg:gem/activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2
Fixed
7.2.2.2

Affected versions

7.*

7.2.0
7.2.1
7.2.1.1
7.2.1.2
7.2.2
7.2.2.1

RubyGems / activestorage

Package

Name
activestorage
Purl
pkg:gem/activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
7.1.5.2

Affected versions

5.*

5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.3
5.2.4.4
5.2.4.5
5.2.4.6
5.2.5
5.2.6
5.2.6.1
5.2.6.2
5.2.6.3
5.2.7
5.2.7.1
5.2.8
5.2.8.1

6.*

6.0.0.beta1
6.0.0.beta2
6.0.0.beta3
6.0.0.rc1
6.0.0.rc2
6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4
6.0.3.5
6.0.3.6
6.0.3.7
6.0.4
6.0.4.1
6.0.4.2
6.0.4.3
6.0.4.4
6.0.4.5
6.0.4.6
6.0.4.7
6.0.4.8
6.0.5
6.0.5.1
6.0.6
6.0.6.1
6.1.0.rc1
6.1.0.rc2
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.3
6.1.3.1
6.1.3.2
6.1.4
6.1.4.1
6.1.4.2
6.1.4.3
6.1.4.4
6.1.4.5
6.1.4.6
6.1.4.7
6.1.5
6.1.5.1
6.1.6
6.1.6.1
6.1.7
6.1.7.1
6.1.7.2
6.1.7.3
6.1.7.4
6.1.7.5
6.1.7.6
6.1.7.7
6.1.7.8
6.1.7.9
6.1.7.10

7.*

7.0.0.alpha1
7.0.0.alpha2
7.0.0.rc1
7.0.0.rc2
7.0.0.rc3
7.0.0
7.0.1
7.0.2
7.0.2.1
7.0.2.2
7.0.2.3
7.0.2.4
7.0.3
7.0.3.1
7.0.4
7.0.4.1
7.0.4.2
7.0.4.3
7.0.5
7.0.5.1
7.0.6
7.0.7
7.0.7.1
7.0.7.2
7.0.8
7.0.8.1
7.0.8.2
7.0.8.3
7.0.8.4
7.0.8.5
7.0.8.6
7.0.8.7
7.1.0.beta1
7.1.0.rc1
7.1.0.rc2
7.1.0
7.1.1
7.1.2
7.1.3
7.1.3.1
7.1.3.2
7.1.3.3
7.1.3.4
7.1.4
7.1.4.1
7.1.4.2
7.1.5
7.1.5.1