{"id":76022,"date":"2026-01-30T23:41:15","date_gmt":"2026-01-30T20:11:15","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-24293-adobe-active-storage-image-command-injection-vulnerability\/"},"modified":"2026-01-30T23:41:15","modified_gmt":"2026-01-30T20:11:15","slug":"cve-2025-24293-adobe-active-storage-image-command-injection-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-24293-adobe-active-storage-image-command-injection-vulnerability\/","title":{"rendered":"CVE-2025-24293 – Adobe Active Storage Image Command Injection Vulnerability"},"content":{"rendered":"

CVE ID : CVE-2025-24293<\/p>\n

Published : Jan. 30, 2026, 8:11 p.m. | 1\u00a0hour ago<\/p>\n

Description : # Active Storage allowed transformation methods potentially unsafe<\/p>\n

Active Storage attempts to prevent the use of potentially unsafe image
\ntransformation methods and parameters by default.<\/p>\n

The default allowed list contains three methods allow for the circumvention
\nof the safe defaults which enables potential command injection
\nvulnerabilities in cases where arbitrary user supplied input is accepted as
\nvalid transformation methods or parameters.<\/p>\n

Impact
\n——
\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.<\/p>\n

Vulnerable code will look something similar to this:
\n“`
\n params[:v]) %>
\n“`<\/p>\n

Where the transformation method or its arguments are untrusted arbitrary input.<\/p>\n

All users running an affected release should either upgrade or use one of the workarounds immediately.<\/p>\n

Workarounds
\n———–
\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.<\/p>\n

Strict validation of user supplied methods and parameters should be performed
\nas well as having a strong [ImageMagick security
\npolicy](https:\/\/imagemagick.org\/script\/security-policy.php) deployed.<\/p>\n

Credits
\n——-<\/p>\n

Thank you [lio346](https:\/\/hackerone.com\/lio346) for reporting this!<\/p>\n

Severity: 0.0 | NA<\/p>\n

Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

CVE ID : CVE-2025-24293 Published : Jan. 30, 2026, 8:11 p.m. | 1\u00a0hour ago Description : # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-76022","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=76022"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76022\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=76022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=76022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=76022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}