CVE-2025-24293

{"id": "CVE-2025-24293", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-24293", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-02-02T14:45:32.482487Z"}}], "cvssMetricV40": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "support@hackerone.com", "affectedData": [{"vendor": "Rails", "product": "activestorage", "versions": [{"status": "affected", "version": "5.2", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.1.5.2", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "7.0.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}]}], "published": "2026-01-30T21:15:55.677", "references": [{"url": "https://github.com/advisories/GHSA-r4mg-4433-c7g3", "source": "support@hackerone.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "# Active Storage allowed transformation methods potentially unsafe\r\n\r\nActive Storage attempts to prevent the use of potentially unsafe image\r\ntransformation methods and parameters by default.\r\n\r\nThe default allowed list contains three methods allow for the circumvention\r\nof the safe defaults which enables potential command injection\r\nvulnerabilities in cases where arbitrary user supplied input is accepted as\r\nvalid transformation methods or parameters.\r\n\r\n\r\nImpact\r\n------\r\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.\r\n\r\nVulnerable code will look something similar to this:\r\n```\r\n<%= image_tag blob.variant(params[:t] => params[:v]) %>\r\n```\r\n\r\nWhere the transformation method or its arguments are untrusted arbitrary input.\r\n\r\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\r\n\r\n\r\n\r\nWorkarounds\r\n-----------\r\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.\r\n\r\nStrict validation of user supplied methods and parameters should be performed\r\nas well as having a strong [ImageMagick security\r\npolicy](https://imagemagick.org/script/security-policy.php) deployed.\r\n\r\nCredits\r\n-------\r\n\r\nThank you [lio346](https://hackerone.com/lio346) for reporting this!"}, {"lang": "es", "value": "# M\u00e9todos de transformaci\u00f3n permitidos de Active Storage potencialmente inseguros\n\nActive Storage intenta prevenir el uso de m\u00e9todos y par\u00e1metros de transformaci\u00f3n de imagen potencialmente inseguros por defecto.\n\nLa lista de permitidos por defecto contiene tres m\u00e9todos que permiten la elusi\u00f3n de los valores seguros por defecto, lo que habilita potenciales vulnerabilidades de inyecci\u00f3n de comandos en casos donde la entrada arbitraria suministrada por el usuario es aceptada como m\u00e9todos o par\u00e1metros de transformaci\u00f3n v\u00e1lidos.\n\nImpacto\n------\nEsta vulnerabilidad impacta a las aplicaciones que usan Active Storage con la gema de procesamiento image_processing adem\u00e1s de mini_magick como procesador de im\u00e1genes.\n\nEl c\u00f3digo vulnerable se ver\u00e1 similar a esto:\n```\n&lt;%= image_tag blob.variant(params[:t] =&gt; params[:v]) %&gt;\n```\n\nDonde el m\u00e9todo de transformaci\u00f3n o sus argumentos son entrada arbitraria no confiable.\n\nTodos los usuarios que ejecutan una versi\u00f3n afectada deber\u00edan actualizar o usar una de las soluciones alternativas inmediatamente.\n\nSoluciones alternativas\n-----------\nEl consumo de la entrada suministrada por el usuario para m\u00e9todos de transformaci\u00f3n de imagen o sus par\u00e1metros es un comportamiento no soportado y deber\u00eda considerarse peligroso.\n\nSe deber\u00eda realizar una validaci\u00f3n estricta de los m\u00e9todos y par\u00e1metros suministrados por el usuario, as\u00ed como tener una [pol\u00edtica de seguridad de ImageMagick](https://imagemagick.org/script/security-policy.php) robusta desplegada.\n\nCr\u00e9ditos\n-------\n\n\u00a1Gracias a [lio346](https://hackerone.com/lio346) por reportar esto!"}], "lastModified": "2026-06-17T08:58:30.490", "sourceIdentifier": "support@hackerone.com"}