GHSA-cxf7-qrc5-9446 · Severity: critical · Ecosystem: rubygems — Remote shell execution vulnerability in image_processing
image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.
Conclusion & alert: CVE-2022-24720 is rated High Exploit Risk (85.1/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 2.60%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.72% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.88% | 2.60% | +1.72% |
| 2 | 2026-04-07 | 0.96% | 0.88% | -0.08% |
| 3 | 2026-03-25 | — | 0.96% | — |
Full EPSS history (24 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 10.0 | 2.0 | HIGH |
|
10.0 | 10.0 | [email protected] |
GHSA-cxf7-qrc5-9446 · Severity: critical · Ecosystem: rubygems — Remote shell execution vulnerability in image_processing
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2022-24720 not yet assigned priority: Debian including 1 source packages (ruby-image-processing), 2 status rows across 2 suites (bookworm, bullseye): resolved 2. | https://security-tracker.debian.org/tracker/CVE-2022-24720 |
ubuntu
|
medium | CVE-2022-24720 medium priority: Ubuntu including 1 source packages (ruby-image-processing), 10 status rows across 10 suites (focal, impish, jammy, kinetic, lunar, mantic, noble, trusty, upstream, xenial): ignored 4, not-affected 2, released 2, DNE 1, needs-triage 1. | https://ubuntu.com/security/CVE-2022-24720 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| image_processing_project | image_processing | < 1.12.2 | cpe:2.3:a:image_processing_project:image_processing:*:*:*:*:*:ruby:*:* |
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada | Patch |
| https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446 | Exploit Vendor Advisory |
| https://www.debian.org/security/2022/dsa-5310 | Third Party Advisory |