Description
image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5310
Exploit, Vendor Advisory
https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
Scores
CVSS v3
9.8
EPSS
0.0088
EPSS Percentile
75.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (3)
debian/debian_linux
11.0
image_processing_project/image_processing
< 1.12.2
rubygems/image_processing
0 - 1.12.2RubyGems
Published
Mar 01, 2022
Tracked Since
Feb 18, 2026