Introduction #
In early 2025, I kicked off the year by learning a new programming language: Ruby. New year, new me! ◝(ᵔᗜᵔ)◜
I figured, what better way to learn a language than just writing a few programs? Then it hit me: why not look for vulnerabilities in its libraries? (In Ruby, they’re called gems.) So I took a little detour and started digging around RubyGems.
I set my sights high from the start, I wanted to find a High or Critical vulnerability. So I went straight for the big one: the Ruby on Rails framework.
I noticed that many remote code execution (RCE) vulnerabilities in Rails are often tied to how it parses or processes data. With that in mind, I dove into its internals and started looking into third-party gems used by Rails that could be exploited. That’s when I came across a promising target: image_processing.
This gem is used by the Active Storage component of Rails.
After almost a month of digging—and nearly six more months of waiting for the Rails team to triage and patch, it finally happened. Not my first CVE, but my first one to result in remote code execution: CVE-2025-24293.
The CVE was announced in mid-August… and here I am, finally writing about it now. Damn you, procrastination ლ(ಠ益ಠლ)
Detailed Analysis #
The full technical breakdown and a proof-of-concept video for this CVE have already been published on my company’s official blog: Critical CVE-2025-24293 in Ruby on Rails – Active Storage RCE Discovered by OPSWAT Unit 515.
For those who come after #
This whole experience reminded me that vulnerability research isn’t just about finding bugs, it’s about understanding how systems are built, and how complexity can open unexpected doors.
Digging into Ruby, Rails, and its ecosystem taught me a lot, not just about security, but about how elegant code can still hide dangerous flaws. I’m proud of this CVE not because it’s flashy, but because it came from persistence, curiosity, and a willingness to go deep.
Until next time! ദ്ദി ˉ͈̀꒳ˉ͈́ )✧