What is CVE-2025-24293?

CVE-2025-24293 is a vulnerability in Rails Activestorage. Published 2026-01-30.

Is CVE-2025-24293 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Rails Activestorage

CVE-2025-24293

# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three meth…

EPSS: 0.002 (39.1th percentile) — read the EPSS interpretation.

Affected products

Rails Activestorage — versions 5.2, 7.0, 8.0

Public proof-of-concept exploits

usutani/study-turbolinks-link

References

github.com/advisories/GHSA-r4mg-4433-c7g3

Frequently asked questions

What is CVE-2025-24293?: CVE-2025-24293 is a vulnerability in Rails Activestorage. Published 2026-01-30.
Is CVE-2025-24293 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.