Critical severityNVD Advisory· Published Jan 30, 2026· Updated Apr 15, 2026

CVE-2025-24293

Description

# Active Storage allowed transformation methods potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.

Vulnerable code will look something similar to this: `` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.

Credits -------

Thank you lio346 for reporting this!

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
activestorageRubyGems	>= 8.0, < 8.0.2.1	8.0.2.1
activestorageRubyGems	>= 7.2, < 7.2.2.2	7.2.2.2
activestorageRubyGems	>= 5.2.0, < 7.1.5.2	7.1.5.2

Affected products

RubyGems/Mini Magickinferred

Patches

2d612735ac0d

Active Storage: Remove dangerous transformations

https://github.com/rails/railsZack DeveauAug 12, 2025via ghsa

commit

2 files changed · +3 −6

activestorage/lib/active_storage.rb+0 −3 modified

@@ -72,7 +72,6 @@ module ActiveStorage
     "annotate",
     "antialias",
     "append",
-    "apply",
     "attenuate",
     "authenticate",
     "auto_gamma",
@@ -213,7 +212,6 @@ module ActiveStorage
     "linewidth",
     "liquid_rescale",
     "list",
-    "loader",
     "log",
     "loop",
     "lowlight_color",
@@ -276,7 +274,6 @@ module ActiveStorage
     "rotate",
     "sample",
     "sampling_factor",
-    "saver",
     "scale",
     "scene",
     "screen",

activestorage/test/models/variant_test.rb+3 −3 modified

@@ -257,7 +257,7 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase
     process_variants_with :mini_magick do
       blob = create_file_blob(filename: "racecar.jpg")
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "-write": "/tmp/file.erb" }).processed
+        blob.variant(resize: { "-write": "/tmp/file.erb" }).processed
       end
     end
   end
@@ -266,11 +266,11 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase
     process_variants_with :mini_magick do
       blob = create_file_blob(filename: "racecar.jpg")
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "something": { "-write": "/tmp/file.erb" } }).processed
+        blob.variant(resize: { "something": { "-write": "/tmp/file.erb" } }).processed
       end
 
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "something": ["-write", "/tmp/file.erb"] }).processed
+        blob.variant(resize: { "something": ["-write", "/tmp/file.erb"] }).processed
       end
     end
   end

fb8f3a18c3d9

Active Storage: Remove dangerous transformations

https://github.com/rails/railsZack DeveauAug 12, 2025via ghsa

commit

2 files changed · +3 −6

activestorage/lib/active_storage.rb+0 −3 modified

@@ -72,7 +72,6 @@ module ActiveStorage
     "annotate",
     "antialias",
     "append",
-    "apply",
     "attenuate",
     "authenticate",
     "auto_gamma",
@@ -213,7 +212,6 @@ module ActiveStorage
     "linewidth",
     "liquid_rescale",
     "list",
-    "loader",
     "log",
     "loop",
     "lowlight_color",
@@ -276,7 +274,6 @@ module ActiveStorage
     "rotate",
     "sample",
     "sampling_factor",
-    "saver",
     "scale",
     "scene",
     "screen",

activestorage/test/models/variant_test.rb+3 −3 modified

@@ -257,7 +257,7 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase
     process_variants_with :mini_magick do
       blob = create_file_blob(filename: "racecar.jpg")
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "-write": "/tmp/file.erb" }).processed
+        blob.variant(resize: { "-write": "/tmp/file.erb" }).processed
       end
     end
   end
@@ -266,11 +266,11 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase
     process_variants_with :mini_magick do
       blob = create_file_blob(filename: "racecar.jpg")
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "something": { "-write": "/tmp/file.erb" } }).processed
+        blob.variant(resize: { "something": { "-write": "/tmp/file.erb" } }).processed
       end
 
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "something": ["-write", "/tmp/file.erb"] }).processed
+        blob.variant(resize: { "something": ["-write", "/tmp/file.erb"] }).processed
       end
     end
   end

1b1adf6ee6ca

Active Storage: Remove dangerous transformations

https://github.com/rails/railsZack DeveauAug 12, 2025via ghsa

commit

2 files changed · +3 −6

activestorage/lib/active_storage.rb+0 −3 modified

@@ -72,7 +72,6 @@ module ActiveStorage
     "annotate",
     "antialias",
     "append",
-    "apply",
     "attenuate",
     "authenticate",
     "auto_gamma",
@@ -213,7 +212,6 @@ module ActiveStorage
     "linewidth",
     "liquid_rescale",
     "list",
-    "loader",
     "log",
     "loop",
     "lowlight_color",
@@ -276,7 +274,6 @@ module ActiveStorage
     "rotate",
     "sample",
     "sampling_factor",
-    "saver",
     "scale",
     "scene",
     "screen",

activestorage/test/models/variant_test.rb+3 −3 modified

@@ -246,7 +246,7 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase
     process_variants_with :mini_magick do
       blob = create_file_blob(filename: "racecar.jpg")
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "-write": "/tmp/file.erb" }).processed
+        blob.variant(resize: { "-write": "/tmp/file.erb" }).processed
       end
     end
   end
@@ -255,11 +255,11 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase
     process_variants_with :mini_magick do
       blob = create_file_blob(filename: "racecar.jpg")
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "something": { "-write": "/tmp/file.erb" } }).processed
+        blob.variant(resize: { "something": { "-write": "/tmp/file.erb" } }).processed
       end
 
       assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do
-        blob.variant(saver: { "something": ["-write", "/tmp/file.erb"] }).processed
+        blob.variant(resize: { "something": ["-write", "/tmp/file.erb"] }).processed
       end
     end
   end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000