CVE-2025-24293Command Injection in Rails Activestorage

CWE-77Command InjectionCWE-94Code InjectionCWE-88Argument Injection8 documents7 sources
Severity
9.2CRITICALNVD
EPSS
0.2%
top 56.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rails ActivestorageRubyonrails Rails
Timeline
PublishedJan 30

Description

# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact This vulnerability impacts applications th

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5rails/activestorage5.25.*+2
RubyGemsrails/activestorage8.08.0.2.1+2
Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u4+3

🔴Vulnerability Details

4
CVEList
CVE-2025-24293: # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformat2026-01-30
OSV
CVE-2025-24293: # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformati2026-01-30
GHSA
Active Storage allowed transformation methods that were potentially unsafe2025-08-14
OSV
Active Storage allowed transformation methods that were potentially unsafe2025-08-14

📋Vendor Advisories

2
Red Hat
activestorage: Code injection in Active Storage when used in conjunction with the image_processing gem2026-01-30
Debian
CVE-2025-24293: rails - # Active Storage allowed transformation methods potentially unsafe Active Sto...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-24293 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-24293 — Command Injection in Rails | cvebase