cythera-logo-darkmode
Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Case Studies
Real-world examples
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Always-on protection. Smarter security
Security Architecture
Security that drives real results, cloud to full stack
Digital Forensics & Incident Response
DFIR experts, ready when you need them.
Cyber Threat Intelligence
Real time insights from Cassini CTI
Managed Detection & Response
Our experts watch, so you don’t have to.
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audits you trust. Assurance that drives action.
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Level up your cyber security game
Penetration Testing
Penetration testing that spots weaknesses
Case Studies
    
Articles
    
Advisories
    
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Web Application Penetration Testing
Vulnerability Management
Vulnerability Assessment
vITSM
Virtual Security Architect (vSecArch)
vCISO
System Security Plan
System Architecture, Design & Implementation
Strategic Security Consulting
SWIFT CSCF
Specialist Testing
Source Code Review
Social Engineering & Phishing
Security Policy and Standard Development
Security Incident Response Testing
Security Awareness Training
Secure Access Service Edge (SASE)
Risk Management
Risk Assessment
Red Teaming
Purple Teaming
NIST CSF Maturity Uplift
Payment Card Industry (PCI)
OT/SCADA Network Penetration Test
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response Tabletop Exercise
Incident Response
Forensics
External Penetration Testing
Executive & Board Reporting
Executive and Board Security Governance Training
Essential Eight Assessment
Endpoint Protection
Email Security
DevSecOps Review & Implementation
Denial of Service (DoS) Testing
Design Reviews
Dark Web Monitoring
Controls Validation Audit
Continuous Certification
Compliance Programme Management
Configuration Reviews
Cloud Security Configuration
Cloud Posture & Security
CIS Critical Controls Assessment
Automated Patch Management
CI/CD Health Check
Artificial Intelligence (AI) Penetration Test
All of Government Marketplace
Advanced OSINT Training Course
Application Penetration Tests
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
External Penetration Testing
Essential Eight Assessment
Denial of Service (DoS) Testing
Dark Web Monitoring
cythera-logo-darkmode
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response
Talk to an expert
Resources
About Us
Advisories
>
Ruby Dragonfly Flaw Enables Argument Injection
Cythera Cyber Security

Ruby Dragonfly Flaw Enables Argument Injection

In a recent engagement, Cythera discovered an argument injection flaw in certain configurations of Refinery CMS. Further investigation revealed the root cause resided in the widely used Ruby Gem Dragonfly, a media-handling library also adopted by other CMS platforms such as Locomotive CMS and Alchemy CMS.
Talk to an expert

Introduction

In a recent engagement, Cythera discovered an argument injection flaw in certain configurations of Refinery CMS. Further investigation revealed the root cause resided in the widely used Ruby Gem Dragonfly, a media-handling library also adopted by other CMS platforms such as Locomotive CMS and Alchemy CMS. This advisory explores the vulnerability's technical details, attack vectors, and its potential consequences for users and site administrators.

Dragonfly Ruby Gem

The Dragonfly library is widely used in content management systems for image processing tasks such as creating thumbnails, generating text-based images, or managing attachments. For instance, in Refinery CMS, image URLs often include base64-encoded data that Dragonfly decodes to locate and manipulate images. The decoded data instructs Dragonfly to fetch a specific image and generate a resized version, such as a 225x255 pixel thumbnail.

Vulnerability Discovery: CVE-2021-33564

Attempt 1: Local File Inclusion (LFI)

Initial attempts targeted Local File Inclusion using path traversal patterns like ../../ in the payload. These attempts failed due to two key security measures in the Refinery CMS setup:

  • Any input containing ../ was automatically blocked
  • The application prepended the root directory path to all file requests
  • These safeguards effectively mitigated LFI attacks in this context.

Attempt 2: Command Injection via Dragonfly

Dragonfly, a backend image processing library used in the CMS, processes tasks such as image conversion using a set of predefined job types. These include:

  • Fetch from local file
  • Fetch from URL
  • Generate (typically used with ImageMagick)
  • Process (apply transformations)
  • Attempts to exploit the fetch operations failed due to whitelist-based validation. However, the generate job, which invokes the convert utility from ImageMagick, became the primary focus.

Argument Injection via ImageMagick

Although special shell characters were escaped, attackers discovered that whitespace or newline characters could still be used to inject arbitrary command-line arguments into the ImageMagick convert call. This meant that by carefully structuring the job payload, they could control how files were read or written.

Arbitrary File Read

ImageMagick supports reading files as raw pixel data using the gray: input format. By pointing this to a sensitive file (e.g., /etc/passwd), and choosing an output format that avoids truncation, the attacker could read file contents and save them to a temporary output file.

This confirmed the ability to exfiltrate local files from the server using image processing functions.

Arbitrary File Write

The attacker could:

  • Create a dummy image file (e.g., a .bmp) containing arbitrary binary content
  • Host this file on a server they control
  • Instruct the vulnerable system to load this file and write its raw content to any location on the filesystem
  • This allowed writing attacker-controlled files to paths like application_controller.rb.

Remote Code Execution (RCE)

With file write access confirmed, attackers were able to overwrite application files. For example, they replaced a controller file with one that:

  • Read the User-Agent header for a trigger keyword
  • Executed any system command that followed
  • Wrote the result to a public file path on the server
  • The application was then restarted (e.g., via modification of a known restart trigger file), activating the new backdoored code. By sending HTTP requests with specific headers, the attacker executed arbitrary system commands remotely.

Exploitation Constraints

The attack worked only if a security option called verify_urls was disabled. This setting normally ensures that requests to the image processor are signed using a shared secret and HMAC-SHA256 hashing. However, many applications either left this option disabled or misconfigured it.

Remediation Steps

To fully address this vulnerability:

  • Upgrade the Dragonfly Ruby Gem to version 1.4.0 or newer
  • Ensure verify_urls is enabled in the application’s configuration

Affected Systems

The vulnerability impacted systems using:

  • Dragonfly for image processing
  • Refinery CMS where image generation jobs were exposed
  • ImageMagick when installed in default or permissive modes

Disclosure Timeline

  • 27 April 2021 – Vulnerability reported to Refinery CMS maintainers
  • 28 April 2021 – Maintainers confirmed issue
  • 29 April 2021 – Escalated to Dragonfly maintainer
  • 30 April 2021 – Dragonfly maintainer confirmed issue
  • 18 May 2021 – Patch developed and validated
  • 19 May 2021 – CVE request submitted
  • 25 May 2021 – CVE-2021-33564 assigned

CIO
Government Agency
Cythera operates as an extension of our team. When we call there is an immediate response and the person that answers our call is the person that resolves our issue. Cythera understands our network, and more importantly, has taken the time to understand our business. We find it easy to work with Cythera. They are approachable, flexible and have taken the time to build deep relationships with our team. It is a partnership and friendship. Cythera’s personalised, highly specialised services makes all the difference. We would recommend Cythera to anyone in the industry looking for a managed services partner.
Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert
Employee Cyber Training & Awareness
Your people are your first line of defence. Our cyber training builds awareness sharpens instincts and turns everyday staff into assets.
Advisory
When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making and resilient operations.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
Case StudiesArticlesAdvisoriesOur ISO 27001 Certificate
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
1300 298 437
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved