The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

Affected Packages

RubyGems activestorage

Affected versions: 5.2.0 (fixed in 5.2.6.3)

RubyGems activestorage

Affected versions: 6.0.0 (fixed in 6.0.4.7)

RubyGems activestorage

Affected versions: 6.1.0 (fixed in 6.1.4.7)

RubyGems activestorage

Affected versions: 7.0.0 (fixed in 7.0.2.3)

Related CVEs

CVE-2022-21831

Key Information

GHSA ID

GHSA-w749-p3v6-hccq

Published

March 8, 2022 9:25 PM

Last Modified

June 21, 2022 3:59 PM

CVSS Score

9.0 /10

Primary Ecosystem

RubyGems

Primary Package

activestorage

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.