CVE-2025-24293

# Active Storage allowed transformation methods potentially unsafe<br /> <br /> Active Storage attempts to prevent the use of potentially unsafe image<br /> transformation methods and parameters by default.<br /> <br /> The default allowed list contains three methods allow for the circumvention<br /> of the safe defaults which enables potential command injection<br /> vulnerabilities in cases where arbitrary user supplied input is accepted as<br /> valid transformation methods or parameters.<br /> <br /> <br /> Impact<br /> ------<br /> This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.<br /> <br /> Vulnerable code will look something similar to this:<br /> ```<br /> params[:v]) %&gt;<br /> ```<br /> <br /> Where the transformation method or its arguments are untrusted arbitrary input.<br /> <br /> All users running an affected release should either upgrade or use one of the workarounds immediately.<br /> <br /> <br /> <br /> Workarounds<br /> -----------<br /> Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.<br /> <br /> Strict validation of user supplied methods and parameters should be performed<br /> as well as having a strong [ImageMagick security<br /> policy](https://imagemagick.org/script/security-policy.php) deployed.<br /> <br /> Credits<br /> -------<br /> <br /> Thank you [lio346](https://hackerone.com/lio346) for reporting this!