CVE-2022-24720 Overview
CVE-2022-24720 is a command injection vulnerability in image_processing, a popular Ruby image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, the #apply method is vulnerable to remote shell command execution when processing operations derived from unsanitized user input. This vulnerability is particularly dangerous because the #apply method is called internally by Active Storage variants, making Rails applications using Active Storage also susceptible to this attack.
Critical Impact
Attackers can achieve remote code execution by injecting malicious shell commands through unsanitized user input processed by the #apply method, potentially leading to complete system compromise.
Affected Products
- image_processing (Ruby gem) versions prior to 1.12.2
- Debian Linux 11.0
- Rails applications using Active Storage with vulnerable image_processing versions
Discovery Timeline
- 2022-03-01 - CVE-2022-24720 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24720
Vulnerability Analysis
The vulnerability exists in the #apply method within lib/image_processing/chainable.rb. This method is designed to accept an array of operations and sequentially apply them to an image using Ruby's send method. The use of send is problematic because it allows calling any method on the builder object, including private methods, which can be leveraged to execute arbitrary shell commands when user input is not properly sanitized.
Active Storage in Rails relies on this vulnerable method internally for processing image variants, meaning any Rails application using Active Storage for image processing with user-controllable transformation parameters could be exploited without directly calling #apply.
Root Cause
The root cause is the use of Ruby's send method instead of public_send in the #apply method implementation. The send method can invoke both public and private methods on an object, whereas public_send is restricted to only public methods. By using send, an attacker could potentially call private methods that may have dangerous side effects, including methods that execute shell commands through the underlying ImageMagick or libvips binaries.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can craft malicious input that, when passed through the #apply method, executes arbitrary shell commands on the server. This is particularly dangerous in web applications that allow users to specify image transformation parameters, such as resizing, cropping, or format conversion options.
# Security patch in lib/image_processing/chainable.rb - Prevent remote shell execution in `#apply`
def apply(operations)
operations.inject(self) do |builder, (name, argument)|
if argument == true || argument == nil
- builder.send(name)
+ builder.public_send(name)
elsif argument.is_a?(Array)
- builder.send(name, *argument)
+ builder.public_send(name, *argument)
elsif argument.is_a?(Hash)
- builder.send(name, **argument)
+ builder.public_send(name, **argument)
else
- builder.send(name, argument)
+ builder.public_send(name, argument)
end
end
end
Source: GitHub Commit Reference
Detection Methods for CVE-2022-24720
Indicators of Compromise
- Unusual process spawning from Ruby/Rails application processes, particularly shell executions
- Unexpected outbound network connections from application servers
- Modified or new files in unexpected locations created by the web application user
- Anomalous ImageMagick or libvips command-line arguments in process logs
Detection Strategies
- Monitor application logs for unusual image processing requests with unexpected operation names
- Implement runtime application self-protection (RASP) to detect command injection attempts
- Deploy Web Application Firewall (WAF) rules to filter suspicious payloads in image processing parameters
- Use static application security testing (SAST) to identify use of vulnerable image_processing gem versions
Monitoring Recommendations
- Enable detailed logging for image processing operations and review for anomalous patterns
- Set up alerting for any shell command execution originating from Ruby application processes
- Monitor gem dependency versions and receive alerts when using vulnerable image_processing versions
- Track Active Storage variant generation requests for unusual transformation parameters
How to Mitigate CVE-2022-24720
Immediate Actions Required
- Upgrade image_processing gem to version 1.12.2 or later immediately
- Audit all user input that flows into image processing operations
- Implement strict allowlist validation for any user-controllable image transformation parameters
- Review Active Storage configurations and ensure variant definitions do not accept unsanitized user input
Patch Information
The vulnerability has been fixed in version 1.12.2 of the image_processing gem. The fix replaces send with public_send in the #apply method, preventing access to private methods that could be exploited for command execution. Users should update their Gemfile to require the patched version.
For Debian Linux 11.0 users, refer to the Debian Security Announcement DSA-5310 for official package updates.
Additional resources:
Workarounds
- Implement strict allowlist validation for all image processing operations before passing to #apply
- Restrict image transformation options to a predefined set of safe operations only
- Avoid passing user-controlled input directly to Active Storage variant definitions
- Consider sandboxing image processing in isolated containers with limited system access
# Configuration example - Update Gemfile to require patched version
gem 'image_processing', '>= 1.12.2'
# Then run bundle update
bundle update image_processing
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
