GHSA-r4mg-4433-c7g3 · Severity: critical · Ecosystem: rubygems — Active Storage allowed transformation methods that were potentially unsafe
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!
Conclusion & alert: CVE-2025-24293 is rated Moderate Risk (50.5/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.18%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-03 | 0.14% | 0.18% | +0.04% |
| 2 | 2026-03-01 | 0.17% | 0.14% | -0.03% |
| 3 | 2026-02-05 | — | 0.17% | — |
Full EPSS history (4 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.2 | 4.0 | CRITICAL |
|
— | — | [email protected] |
GHSA-r4mg-4433-c7g3 · Severity: critical · Ecosystem: rubygems — Active Storage allowed transformation methods that were potentially unsafe
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-24293 not yet assigned priority: Debian including 1 source packages (rails), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2025-24293 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-24293 |
suse
|
high | CVE-2025-24293 severity important: SUSE including 1 source package names (hawk2), 7 product×package rows across 7 product lines (SUSE Linux Enterprise High Availability Extension 12 SP5, SUSE Linux Enterprise High Availability Extension 15 SP4, … (7 product lines)): Known Not Affected 7. | https://www.suse.com/security/cve/CVE-2025-24293/ |
ubuntu
|
medium | CVE-2025-24293 medium priority: Ubuntu including 1 source packages (rails), 8 status rows across 8 suites (bionic, focal, jammy, noble, plucky, questing, upstream, xenial): needs-triage 7, ignored 1. | https://ubuntu.com/security/CVE-2025-24293 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||