Critical severityNVD Advisory· Published Mar 1, 2022· Updated Apr 22, 2025

Improper Input Validation in image_processing

CVE-2022-24720

Description

CVE-2022-24720 is an arbitrary shell command injection in the image_processing gem's #apply method, affecting Active Storage, fixed in version 1.12.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-24720 is an arbitrary shell command injection in the image_processing gem's #apply method, affecting Active Storage, fixed in version 1.12.2.

Vulnerability

CVE-2022-24720 is a command injection vulnerability in the image_processing gem (versions prior to 1.12.2) that affects both the libvips and ImageMagick/GraphicsMagick backends. The flaw resides in the #apply method, which accepts a series of operations from unsanitized user input. Because Active Storage variants internally call this method, Active Storage is also vulnerable. The vulnerability allows an attacker to craft a malicious operation hash—for example, { system: 'echo EXECUTED' }—that results in shell command execution [1][4].

Exploitation

An attacker must be able to provide unsanitized user input that is passed to the #apply method of ImageProcessing::Vips or ImageProcessing::MiniMagick. This input can be supplied through web application parameters that are not filtered or validated. The attacker can construct a hash containing a :system key with a shell command string. When #apply processes the operations, the command is executed. No authentication is required if the application exposes the vulnerable endpoint; the attack does not require any special network position beyond being able to send HTTP requests to the application [4].

Impact

Successful exploitation results in arbitrary shell command execution on the server with the privileges of the application process (typically the web server user). This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or lateral movement within the network. The vulnerability has a CVSS score of 9.8 (Critical) due to its low attack complexity and network-based attack vector [1].

Mitigation

The vulnerability is fixed in image_processing version 1.12.2. Users should upgrade immediately. As a workaround, developers must sanitize user input by allowing only a constrained set of operations, such as by whitelisting allowed operation names like resize_to_limit and strip before passing them to #apply [1][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
image_processingRubyGems	< 1.12.2	1.12.2

Affected products

ghsa-coords
pkg:gem/image_processing
Range: < 1.12.2
Janko/Image Processingv5
Range: < 1.12.2

Patches

038e4574e8f4

Prevent remote shell execution in `#apply`

https://github.com/janko/image_processingJanko MarohnićMar 1, 2022via ghsa

commit

3 files changed · +23 −4

CHANGELOG.md+4 −0 modified

@@ -1,3 +1,7 @@
+## HEAD
+
+* Prevent remote shell execution when using `#apply` with operations coming from user input (@janko)
+
 ## 1.12.1 (2020-11-06)
 
 * Fix format fallback for files ending with a dot on Ruby 2.7+ (@coding-chimp)

lib/image_processing/chainable.rb+4 −4 modified

@@ -34,13 +34,13 @@ def instrumenter(&block)
     def apply(operations)
       operations.inject(self) do |builder, (name, argument)|
         if argument == true || argument == nil
-          builder.send(name)
+          builder.public_send(name)
         elsif argument.is_a?(Array)
-          builder.send(name, *argument)
+          builder.public_send(name, *argument)
         elsif argument.is_a?(Hash)
-          builder.send(name, **argument)
+          builder.public_send(name, **argument)
         else
-          builder.send(name, argument)
+          builder.public_send(name, argument)
         end
       end
     end

test/pipeline_test.rb+15 −0 modified

@@ -258,4 +258,19 @@
       ImageProcessing::Vips.valid?(@portrait)
     end
   end
+
+  it "doesn't allow making system calls" do
+    ImageProcessing::Vips.source(@portrait).apply(system: "touch foo.txt")
+    refute File.exist?("foo.txt")
+
+    assert_raises Vips::Error do
+      ImageProcessing::Vips.source(@portrait).spawn("touch foo.txt").call
+    end
+    refute File.exist?("foo.txt")
+
+    assert_raises MiniMagick::Error do
+      ImageProcessing::MiniMagick.source(@portrait).spawn("touch foo.txt").call
+    end
+    refute File.exist?("foo.txt")
+  end
 end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cxf7-qrc5-9446ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-24720ghsaADVISORY
www.debian.org/security/2022/dsa-5310ghsavendor-advisoryWEB
github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dadaghsaWEB
github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/image_processing/CVE-2022-24720.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000