RubyFlow The Ruby and Rails community linklog


The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

Imagetragick and How to Protect Ruby Apps from it

  1. There is a huge vulnerability in ImageMagick. In layman’s terms, if you are doing any kind of image manipulations like uploading avatars, photos, resizing stuff, you are most likely using ImageMagick and it concerns you. In theory, by uploading a specially crafted file (which may be not an image at all or an SVG image with some “features”), the attacker can gain access to your system. This is VERY bad. The “trademark” for it is Imagetragick: Sysadmins should install a special policy file on their systems ASAP.

  2. Said vulnerability can also be prevented in Rails by using the carrierwave-bombshelter gem at It was previously used to protect from image bomb uploads, but now includes Imagetragick protection as well.


Yaroslav, good job for pointing out the fix of the trending ImageMagick vulnerability. Just a note - it seems like paperclip is not affected by this problem:

Paperclip <4.3 seems to be vulnerable though. Anything less than 4.2.2 is vulnerable to an older exploit CVE-2015-2963:

I’m linking to this Reddit discussion to provide more context if people need it.

Everyone should be sandboxing ALL their image/vector manipulation libraries (not just ImageMagick… but Batik, Ghostscript, pnglib, etc.) at least inside Docker containers. The attack vectors for all those are so large, that there is little hope of ‘containing’ them. Another alternative is to use one of the image processing services.

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in