CVE-2021-21305
published 2021-02-08CVE-2021-21305: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
12.68%
95.8th percentile
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| carrierwave_project | carrierwave | < 1.3.2 | 1.3.2 |
| carrierwave_project | carrierwave | >= 0 < 1.3.2 | 1.3.2 |
| carrierwave_project | carrierwave | >= 2.0.0 < 2.1.1 | 2.1.1 |
| carrierwave_project | carrierwave | >= 2.0.1 < 2.1.1 | 2.1.1 |
| carrierwaveuploader | carrierwave | < 1.3.2 | 1.3.2 |
| carrierwaveuploader | carrierwave | — | — |
| debian | ruby-carrierwave | < ruby-carrierwave 1.3.2-1 (bookworm) | ruby-carrierwave 1.3.2-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable sink is the `#manipulate!` method in CarrierWave, which unsafely evals the content of the mutation option (:read/:write). Monitor for unexpected Ruby `eval` calls originating from CarrierWave's manipulate! method with attacker-controlled option strings. ↗
- →Flag applications passing untrusted/user-supplied input into CarrierWave's :read or :write mutation options, as this is the direct exploitation vector for RCE. ↗
- ·Exploitation requires the application developer to pass untrusted user input into the :read/:write mutation options of CarrierWave's #manipulate! method — purely internal/trusted use is not directly exploitable. ↗
- ·Affected versions are CarrierWave < 1.3.2 and < 2.1.1. Patched versions 1.3.2 and 2.1.1 resolve the issue. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian7.4HIGH
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby-carrierwave vulnerabilities
osv·2025-05-07·CVSS 8.8
CVE-2021-21305 [HIGH] ruby-carrierwave vulnerabilities
ruby-carrierwave vulnerabilities
Rikita Ishikawa discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-21305)
Norihide Saito discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. (CVE-2023-49090)
OSV
CVE-2021-21305: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications
osv·2021-02-08·CVSS 8.8
CVE-2021-21305 [HIGH] CVE-2021-21305: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
OSV
Code Injection vulnerability in CarrierWave::RMagick
osv·2021-02-08
CVE-2021-21305 [HIGH] Code Injection vulnerability in CarrierWave::RMagick
Code Injection vulnerability in CarrierWave::RMagick
### Impact
[CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb) has a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation option(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code.
If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).
(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)
### Proof of Concept
```ruby
class MyUploader shows
GHSA
Code Injection vulnerability in CarrierWave::RMagick
ghsa·2021-02-08
CVE-2021-21305 [HIGH] CWE-74 Code Injection vulnerability in CarrierWave::RMagick
Code Injection vulnerability in CarrierWave::RMagick
### Impact
[CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb) has a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation option(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code.
If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).
(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)
### Proof of Concept
```ruby
class MyUploader shows
Ubuntu
CarrierWave vulnerabilities
vendor_ubuntu·2025-05-07·CVSS 7.4
CVE-2021-21305 [HIGH] CarrierWave vulnerabilities
Title: CarrierWave vulnerabilities
Summary: Several security issues were fixed in CarrierWave.
Rikita Ishikawa discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-21305)
Norihide Saito discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. (CVE-2023-49090)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2021-21305: ruby-carrierwave - CarrierWave is an open-source RubyGem which provides a simple and flexible way t...
vendor_debian·2021·CVSS 7.4
CVE-2021-21305 [HIGH] CVE-2021-21305: ruby-carrierwave - CarrierWave is an open-source RubyGem which provides a simple and flexible way t...
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
Scope: local
bookworm: resolved (fixed in 1.3.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4https://rubygems.org/gems/carrierwavehttps://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4https://rubygems.org/gems/carrierwave
2021-02-08
Published