Command Injection Vulnerability in Active Storage by Rails
CVE-2025-24293

9.2CRITICAL

Key Information:

Vendor: Rails
Status: Activestorage
Vendor: CVE Published:; 30 January 2026

What is CVE-2025-24293?

The Active Storage feature of Rails has a vulnerability that allows unsafe image transformation methods, which can lead to command injection attacks. This occurs when an application accepts arbitrary and untrusted user input as valid transformation methods or parameters. Such vulnerabilities are particularly impactful when used in conjunction with the image_processing gem and mini_magick as an image processor. Developers must exercise strict validation of inputs and should not rely on default methods that could be exploited. To safeguard against this vulnerability, it is recommended to upgrade to the latest version or implement strong validation policies for user inputs alongside a robust ImageMagick security policy.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

activestorage 5.2 < 5.*

activestorage 7.0 < 7.1.5.2

activestorage 8.0 < 7.0.2.1

References

https://github.com/advisories/GHSA-r4mg-4433-c7g3

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 30, 2026
Vulnerability Reserved
Jan 17, 2025

JSON

Rails

What is CVE-2025-24293?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.