Code Injection vulnerability in CarrierWave
Description
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
carrierwaveRubyGems | < 1.3.2 | 1.3.2 |
carrierwaveRubyGems | >= 2.0.0, < 2.1.1 | 2.1.1 |
Affected products
1- Range: < 1.3.2
Patches
1387116f5c72eFix Code Injection vulnerability in CarrierWave::RMagick
2 files changed · +42 −4
lib/carrierwave/processing/rmagick.rb+9 −3 modified@@ -378,9 +378,15 @@ def manipulate!(options={}, &block) def create_info_block(options) return nil unless options - assignments = options.map { |k, v| "img.#{k} = #{v}" } - code = "lambda { |img| " + assignments.join(";") + "}" - eval code + proc do |img| + options.each do |k, v| + if v.is_a?(String) && (matches = v.match(/^["'](.+)["']/)) + ActiveSupport::Deprecation.warn "Passing quoted strings like #{v} to #manipulate! is deprecated, pass them without quoting." + v = matches[1] + end + img.public_send(:"#{k}=", v) + end + end end def destroy_image(image)
spec/processing/rmagick_spec.rb+33 −1 modified@@ -208,9 +208,41 @@ instance.manipulate! :read => { :density => 10, - :size => %{"200x200"} + :size => "200x200" } end + + it 'shows deprecation but still accepts strings enclosed with double quotes' do + expect_any_instance_of(::Magick::Image::Info).to receive(:size=).once.with("200x200") + expect(ActiveSupport::Deprecation).to receive(:warn).with(any_args) + instance.manipulate! :read => {:size => %{"200x200"}} + end + + it 'shows deprecation but still accepts strings enclosed with single quotes' do + expect_any_instance_of(::Magick::Image::Info).to receive(:size=).once.with("200x200") + expect(ActiveSupport::Deprecation).to receive(:warn).with(any_args) + instance.manipulate! :read => {:size => %{'200x200'}} + end + + it 'does not allow arbitrary code execution' do + expect_any_instance_of(Kernel).not_to receive(:puts) + expect do + instance.manipulate! :read => { + :density => "1 }; raise; {" + } + end.to raise_error ArgumentError, /invalid density geometry/ + end + + it 'does not allow invocation of non-public methods' do + module Kernel + private def foo=(value); raise; end + end + expect do + instance.manipulate! :read => { + :foo => "1" + } + end.to raise_error NoMethodError, /private method `foo=' called/ + end end describe "#width and #height" do
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-cf3w-g86h-35x4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21305ghsaADVISORY
- github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7ghsax_refsource_MISCWEB
- github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2021-21305.ymlghsaWEB
- rubygems.org/gems/carrierwaveghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.