Rails CVE-2025-55193 and CVE-2025-24293

We had two news Rails CVE published recently and both of them looks interesting from an exploitation stand point so I wanted to explore what could be achieved with them.

Let’s look into CVE-2025-55193 first. It is an ANSI escape injection vulnerability in Active Record’s logging mechanism.
First of all, let me explain what an ANSI escape injection is. When you terminal prints text, there are special escape characters that can be used to colorize the text or change the terminal’s behavior. Now this escape characters can be used to execute arbitrary commands as well in some terminals, so if you display an malicious string, it can be exploited.
When Rails writes it’s logs, if an attacker can write shell escape characters to them and someone tails the logs in a vulnerable terminal, that can cause a remote code execution. For instance, \e]2;Rails console\e]2;?\a is changing the title of the terminal window in some terminal emulators like PuTTY. But if you change the title with the payload \e]2;ping google.com\n\a\e]2;?\a, the ping command will be executed.

Let’s see how would this be exploited through poisioning the Rails logs. You surely seen the ActiveRecord::RecordNotFound (Couldn't find MODEL with 'id'=123) line in your Rails logs before. If we use a string payload in place of the ID in the URL and someone reads that log entry in a vulnerable terminal, we can have a remote code execution vulnerability. Vulnerable terminal is important here, as it is a small subset of terminals where this could be actually exploited as an RCE, but it might be used for phishing or hiding payloads from the logs.

The second vulnerability was CVE-2025-24293, an Active Storage unsafe transformations issue. It effects applications that use the image_processing gem with mini_magick as the image processor and passing any user controlled string as a transformation. For instance if your application permits images to be resized to custom dimensions and you would have something similar in your code:

image_tag blob.variant(resize: params[:dimensions])

And someone passes this for dimenstions in the request:

dimensions[payload][]=-write&dimensions[payload][]=/tmp/file.erb

Then a file will be created in /tmp with the contents “payload”. If you chain this with another vulnerability, it can cause real problems. A strict ImageMagick Security Policy can help to mitigate such issues, but you also shouldn’t pass user controlled data directly to these methods.

Darius also wrote a piece on the ANSI escape character injection, it is a pretty good read.