VulnerableCode Package Details - pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u4?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-yzpx-3gam-y3bu	Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this!	CVE-2025-24293 GHSA-r4mg-4433-c7g3
VCID-zqzx-avvt-wkhm	Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability	CVE-2025-55193 GHSA-76r7-hhxj-r776

Vulnerability

Summary

Aliases

VCID-yzpx-3gam-y3bu

Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this!

CVE-2025-24293
GHSA-r4mg-4433-c7g3

VCID-zqzx-avvt-wkhm

Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability

CVE-2025-55193
GHSA-76r7-hhxj-r776

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:56:12.175621+00:00	Debian Importer	Fixing	VCID-zqzx-avvt-wkhm	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:38:34.689636+00:00	Debian Importer	Fixing	VCID-yzpx-3gam-y3bu	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:53:03.378336+00:00	Debian Importer	Fixing	VCID-zqzx-avvt-wkhm	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:11:42.963946+00:00	Debian Importer	Fixing	VCID-yzpx-3gam-y3bu	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:51:50.329507+00:00	Debian Importer	Fixing	VCID-zqzx-avvt-wkhm	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:51:50.268314+00:00	Debian Importer	Fixing	VCID-yzpx-3gam-y3bu	https://security-tracker.debian.org/tracker/data/json	38.1.0