SCA: security update for activestorage (GHSA-r4mg-4433-c7g3)

critical Tenable Cloud Security Plugin ID 433351

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the
use of potentially unsafe image transformation methods and parameters by default. The default allowed list
contains three methods allow for the circumvention of the safe defaults which enables potential command
injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation
methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with
the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code
will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where
the transformation method or its arguments are untrusted arbitrary input. All users running an affected
release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming
user supplied input for image transformation methods or their parameters is unsupported behavior and
should be considered dangerous. Strict validation of user supplied methods and parameters should be
performed as well as having a strong [ImageMagick security
policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you
[lio346](https://hackerone.com/lio346) for reporting this! (CVE-2025-24293)

See Also

https://github.com/advisories/GHSA-r4mg-4433-c7g3

Plugin Details

Severity: Critical

ID: 433351

Version: Revision 1.15

Type: Local

Family: SCA Checks

Published: 8/14/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.03

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-24293

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 7.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/14/2025

Vulnerability Publication Date: 8/14/2025

Reference Information

CVE: CVE-2025-24293

cwe: CWE-77