Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10929

image_processing is vulnerable to Remote Code Execution (RCE)

Remote Code Execution (RCE) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

88

High Risk

This Affects:

RUBYimage_processing
0.11.0 - 2.0.0
Fixed in 2.0.1
Are you affected? Scan for Free

TL;DR

The MiniMagick backend applies loader and saver option hashes through apply_options, which used Ruby send to invoke option names on the underlying MiniMagick::Tool object. Because send can call private methods such as Kernel#system, an attacker who can supply loader or saver option keys can trigger arbitrary shell commands when those options are passed to ImageProcessing::MiniMagick.loader or .saver. Before the fix, values like system: "touch /tmp/pwned" could execute on the host. The patch switches to public_send, which restricts dispatch to public methods and blocks this command-injection path.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

image_processing is vulnerable to Remote Code Execution (RCE) in versions 0.11.0 - 2.0.0.

How to fix this

Upgrade the image_processing library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done