🚨 Rails has possible XSS Vulnerability in Action Controller

Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in "_html", a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show  
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

• Use a translation function from a controller (i.e. not I18n.t, or t from
  a view)
• Use a key that ends in _html
• Use a default value where the default value is untrusted and unescaped input
• Send the text to the victim (whether that's part of a template, or a
  render call)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 7-0-translate-xss.patch - Patch for 7.0 series
• 7-1-translate-xss.patch - Patch for 7.1 series

Credits

Thanks to ooooooo_q for the patch and fix!

🚨 Rails has possible XSS Vulnerability in Action Controller

Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in "_html", a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show  
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

• Use a translation function from a controller (i.e. not I18n.t, or t from
  a view)
• Use a key that ends in _html
• Use a default value where the default value is untrusted and unescaped input
• Send the text to the victim (whether that's part of a template, or a
  render call)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 7-0-translate-xss.patch - Patch for 7.0 series
• 7-1-translate-xss.patch - Patch for 7.1 series

Credits

Thanks to ooooooo_q for the patch and fix!

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

🚨 Possible ReDoS vulnerability in block_format in Action Mailer

There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling the block_format helper or upgrade to Ruby 3.2

Credits

Thanks to yuki_osaki for the report!

🚨 Possible ReDoS vulnerability in block_format in Action Mailer

There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling the block_format helper or upgrade to Ruby 3.2

Credits

Thanks to yuki_osaki for the report!

🚨 Possible ReDoS vulnerability in block_format in Action Mailer

There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling the block_format helper or upgrade to Ruby 3.2

Credits

Thanks to yuki_osaki for the report!

🚨 Possible ReDoS vulnerability in block_format in Action Mailer

There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling the block_format helper or upgrade to Ruby 3.2

Credits

Thanks to yuki_osaki for the report!

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

🚨 Rails has a possible XSS vulnerability in its Action Pack debug exceptions

Impact

The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (config.consider_all_requests_local = true), which is the default in development.

Releases

The fixed releases are available at the normal locations.

🚨 Possible Content Security Policy bypass in Action Dispatch

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

🚨 Possible Content Security Policy bypass in Action Dispatch

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

🚨 Possible Content Security Policy bypass in Action Dispatch

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

🚨 Possible Content Security Policy bypass in Action Dispatch

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

🚨 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

🚨 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

🚨 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

🚨 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

🚨 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

🚨 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

🚨 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

🚨 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

🚨 Missing security headers in Action Pack on non-HTML responses

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist of a
single changeset.

• 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
• 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
• 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

🚨 Missing security headers in Action Pack on non-HTML responses

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist of a
single changeset.

• 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
• 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
• 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

🚨 Missing security headers in Action Pack on non-HTML responses

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist of a
single changeset.

• 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
• 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
• 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

🚨 Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch

Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.

Versions Affected: >= 7.1.0, < 7.1.3.1
Not affected: < 7.1.0
Fixed Versions: 7.1.3.1

Impact

Carefully crafted Accept headers can cause Accept header parsing in Action
Dispatch to take an unexpected amount of time, possibly resulting in a DoS
vulnerability. All users running an affected release should either upgrade or
use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
3.2 or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 7-1-accept-redox.patch - Patch for 7.1 series

Credits

Thanks svalkanov for the report and patch!

🚨 Rails has possible XSS Vulnerability in Action Controller

Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in "_html", a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show  
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

• Use a translation function from a controller (i.e. not I18n.t, or t from
  a view)
• Use a key that ends in _html
• Use a default value where the default value is untrusted and unescaped input
• Send the text to the victim (whether that's part of a template, or a
  render call)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 7-0-translate-xss.patch - Patch for 7.0 series
• 7-1-translate-xss.patch - Patch for 7.1 series

Credits

Thanks to ooooooo_q for the patch and fix!

🚨 Rails has possible XSS Vulnerability in Action Controller

Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in "_html", a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show  
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

• Use a translation function from a controller (i.e. not I18n.t, or t from
  a view)
• Use a key that ends in _html
• Use a default value where the default value is untrusted and unescaped input
• Send the text to the victim (whether that's part of a template, or a
  render call)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 7-0-translate-xss.patch - Patch for 7.0 series
• 7-1-translate-xss.patch - Patch for 7.1 series

Credits

Thanks to ooooooo_q for the patch and fix!

🚨 Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.

🚨 Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.

🚨 ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.

Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact

Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 6.1 series
7-0-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

🚨 ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.

Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact

Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 6.1 series
7-0-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

🚨 Open Redirect Vulnerability in Action Pack

There is a vulnerability in Action Controller’s redirect_to. This vulnerability has been assigned the CVE identifier CVE-2023-22797.

Versions Affected: >= 7.0.0 Not affected: < 7.0.0 Fixed Versions: 7.0.4.1
Impact

There is a possible open redirect when using the redirect_to helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

Rails 7.0 introduced protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

7-0-Fix-sec-issue-with-_url_host_allowed.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 Cross-site Scripting Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

🚨 Cross-site Scripting Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

🚨 Exposure of information in Action Pack

Impact

Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end

  private

    def ensure_completed!
      @executor.new.complete! if @executor.active?
    end
end

# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end

🚨 Exposure of information in Action Pack

Impact

Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end

  private

    def ensure_completed!
      @executor.new.complete! if @executor.active?
    end
end

# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end

🚨 actionpack Open Redirect in Host Authorization Middleware

Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.

Releases

The fixed releases are available at the normal locations.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

• 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
• 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
• 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

🚨 Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text

There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2

Credits

Thanks to ooooooo_q for the report!

🚨 Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text

There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2

Credits

Thanks to ooooooo_q for the report!

🚨 Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text

There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2

Credits

Thanks to ooooooo_q for the report!

🚨 Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text

There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2

Credits

Thanks to ooooooo_q for the report!

🚨 ActionText ContentAttachment can Contain Unsanitized HTML

Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML.

This has been assigned the CVE identifier CVE-2024-32464.

Versions Affected: >= 7.1.0
Not affected: < 7.1.0
Fixed Versions: 7.1.3.4

Impact

This could lead to a potential cross site scripting issue within the Trix editor.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

• action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series

Credits

Thank you ooooooo_q for reporting this!

🚨 Trix Editor Arbitrary Code Execution Vulnerability

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.

Vulnerable Versions:

• 1.x series up to and including 1.3.1
• 2.x series up to and including 2.1.0

Fixed Versions:

• v1.3.2
• v2.1.1

Vector:

• Bug 1: When copying content manipulated by a script, such as:

document.addEventListener('copy', function(e){
  e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
  e.preventDefault();
});

and pasting into the Trix editor, the script within the content is executed.

• Bug 2: Similar execution occurs with content structured as:

document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=alert(101)&gt;HELLO123&quot;}"></div>me`);

Impact:

An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Remediation:

Update Recommendation: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References:

• https://github.com/basecamp/trix/releases/tag/v2.1.1
• basecamp/trix#1147
• basecamp/trix#1149
• basecamp/trix#1153

Credit: These issues were reported by security researchers loknop and pinpie.

🚨 Trix Editor Arbitrary Code Execution Vulnerability

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.

Vulnerable Versions:

• 1.x series up to and including 1.3.1
• 2.x series up to and including 2.1.0

Fixed Versions:

• v1.3.2
• v2.1.1

Vector:

• Bug 1: When copying content manipulated by a script, such as:

document.addEventListener('copy', function(e){
  e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
  e.preventDefault();
});

and pasting into the Trix editor, the script within the content is executed.

• Bug 2: Similar execution occurs with content structured as:

document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=alert(101)&gt;HELLO123&quot;}"></div>me`);

Impact:

An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Remediation:

Update Recommendation: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References:

• https://github.com/basecamp/trix/releases/tag/v2.1.1
• basecamp/trix#1147
• basecamp/trix#1149
• basecamp/trix#1153

Credit: These issues were reported by security researchers loknop and pinpie.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

🚨 Rails has a possible XSS vulnerability in its Action View tag helpers

Impact

When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.

Releases

The fixed releases are available at the normal locations.

🚨 Rails has a possible XSS vulnerability in its Action View tag helpers

Impact

When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.

Releases

The fixed releases are available at the normal locations.

🚨 Rails has a possible XSS vulnerability in its Action View tag helpers

Impact

When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.

Releases

The fixed releases are available at the normal locations.

🚨 rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements

NOTE: rails-ujs is part of Rails/actionview since 5.1.0.

There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to
occur when pasting malicious HTML content from the clipboard that
includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Not affected: < 5.1.0
Versions Affected: >= 5.1.0
Fixed Versions: 6.1.7.3, 7.0.4.3

Impact
If the specified malicious HTML clipboard content is provided to a
contenteditable element, this could result in the arbitrary execution
of javascript on the origin in question.

Releases
The FIXED releases are available at the normal locations.

Workarounds
We recommend that all users upgrade to one of the FIXED versions.
In the meantime, users can attempt to mitigate this vulnerability
by removing the contenteditable attribute from elements in pages
that rails-ujs will interact with.

Patches
To aid users who aren’t able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am
format and consist of a single changeset.

• rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series
• rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are
supported at present, and 6.0.Z for severe vulnerabilities.

Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.

Credits
We would like to thank ryotak 15 for reporting this!

• rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)
• rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)
• rails-ujs-data-method-contenteditable-main.patch (8.9 KB)

🚨 rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements

NOTE: rails-ujs is part of Rails/actionview since 5.1.0.

There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to
occur when pasting malicious HTML content from the clipboard that
includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Not affected: < 5.1.0
Versions Affected: >= 5.1.0
Fixed Versions: 6.1.7.3, 7.0.4.3

Impact
If the specified malicious HTML clipboard content is provided to a
contenteditable element, this could result in the arbitrary execution
of javascript on the origin in question.

Releases
The FIXED releases are available at the normal locations.

Workarounds
We recommend that all users upgrade to one of the FIXED versions.
In the meantime, users can attempt to mitigate this vulnerability
by removing the contenteditable attribute from elements in pages
that rails-ujs will interact with.

Patches
To aid users who aren’t able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am
format and consist of a single changeset.

• rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series
• rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are
supported at present, and 6.0.Z for severe vulnerabilities.

Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.

Credits
We would like to thank ryotak 15 for reporting this!

• rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)
• rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)
• rails-ujs-data-method-contenteditable-main.patch (8.9 KB)

🚨 XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.

Impacted code will look something like this:

check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })

Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

🚨 XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.

Impacted code will look something like this:

check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })

Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

🚨 Active Record logging vulnerable to ANSI escape injection

This vulnerability has been assigned the CVE identifier CVE-2025-55193

Impact

The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

Releases

The fixed releases are available at the normal locations.

Credits

Thanks to lio346 from Unit 515 of OPSWAT for reporting this vulnerability

🚨 Active Record logging vulnerable to ANSI escape injection

This vulnerability has been assigned the CVE identifier CVE-2025-55193

Impact

The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

Releases

The fixed releases are available at the normal locations.

Credits

Thanks to lio346 from Unit 515 of OPSWAT for reporting this vulnerability

🚨 Active Record logging vulnerable to ANSI escape injection

This vulnerability has been assigned the CVE identifier CVE-2025-55193

Impact

The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

Releases

The fixed releases are available at the normal locations.

Credits

Thanks to lio346 from Unit 515 of OPSWAT for reporting this vulnerability

🚨 SQL Injection Vulnerability via ActiveRecord comments

There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1
Impact

Previously the implementation of escaping for comments was insufficient for

If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment.

In most cases these interfaces won’t be used with user input and users should avoid doing so.

Example vulnerable code:

Post.where(id: 1).annotate("#{params[:user_input]}")

Post.where(id: 1).optimizer_hints("#{params[:user_input]}")

Example vulnerable QueryLogs configuration (the default configuration is not vulnerable):

config.active_record.query_log_tags = [
  {
    something: -> { <some value including user input> }
  }
]

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

Avoid passing user input to annotate and avoid using QueryLogs configuration which can include user input.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.0 series
6-1-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.1 series
7-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 SQL Injection Vulnerability via ActiveRecord comments

There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1
Impact

Previously the implementation of escaping for comments was insufficient for

If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment.

In most cases these interfaces won’t be used with user input and users should avoid doing so.

Example vulnerable code:

Post.where(id: 1).annotate("#{params[:user_input]}")

Post.where(id: 1).optimizer_hints("#{params[:user_input]}")

Example vulnerable QueryLogs configuration (the default configuration is not vulnerable):

config.active_record.query_log_tags = [
  {
    something: -> { <some value including user input> }
  }
]

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

Avoid passing user input to annotate and avoid using QueryLogs configuration which can include user input.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.0 series
6-1-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.1 series
7-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter

There is a potential denial of service vulnerability present in ActiveRecord's PostgreSQL adapter.

This has been assigned the CVE identifier CVE-2022-44566.

Versions Affected: All. Not affected: None.

Fixed Versions

• 2.3.18.47 (Rails LTS, which is a paid service and not part of the rubygem)
• 3.2.22.34 (Rails LTS, which is a paid service and not part of the rubygem)
• 4.2.11.27 (Rails LTS, which is a paid service and not part of the rubygem)
• 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem)
• 6.1.7.1
• 7.0.4.1

Impact

In ActiveRecord < 7.0.4.1 and < 6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

Releases

The fixed releases are available at the normal locations.

Workarounds

Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.

6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series
7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series

🚨 Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter

There is a potential denial of service vulnerability present in ActiveRecord's PostgreSQL adapter.

This has been assigned the CVE identifier CVE-2022-44566.

Versions Affected: All. Not affected: None.

Fixed Versions

• 2.3.18.47 (Rails LTS, which is a paid service and not part of the rubygem)
• 3.2.22.34 (Rails LTS, which is a paid service and not part of the rubygem)
• 4.2.11.27 (Rails LTS, which is a paid service and not part of the rubygem)
• 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem)
• 6.1.7.1
• 7.0.4.1

Impact

In ActiveRecord < 7.0.4.1 and < 6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

Releases

The fixed releases are available at the normal locations.

Workarounds

Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.

6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series
7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series

🚨 Active Record RCE bug with Serialized Columns

When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.

🚨 Active Record RCE bug with Serialized Columns

When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

🚨 Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests

Impact

Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests

Impact

Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests

Impact

Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible Path Traversal in DiskService

Impact

Active Storage's DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible Path Traversal in DiskService

Impact

Active Storage's DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible glob injection in its DiskService

Impact

Active Storage's DiskService#delete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible glob injection in its DiskService

Impact

Active Storage's DiskService#delete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible content type bypass via metadata in direct uploads

Impact

Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible glob injection in its DiskService

Impact

Active Storage's DiskService#delete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests

Impact

When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. bytes=0-) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible Path Traversal in DiskService

Impact

Active Storage's DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible content type bypass via metadata in direct uploads

Impact

Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has possible content type bypass via metadata in direct uploads

Impact

Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests

Impact

When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. bytes=0-) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests

Impact

When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. bytes=0-) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.

Releases

The fixed releases are available at the normal locations.

🚨 Active Storage allowed transformation methods that were potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

This has been assigned the CVE identifier CVE-2025-24293.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1

Impact

This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.

Credits

Thank you lio346 from Unit 515 of OPSWAT for reporting this!

🚨 Active Storage allowed transformation methods that were potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

This has been assigned the CVE identifier CVE-2025-24293.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1

Impact

This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.

Credits

Thank you lio346 from Unit 515 of OPSWAT for reporting this!

🚨 Active Storage allowed transformation methods that were potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

This has been assigned the CVE identifier CVE-2025-24293.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1

Impact

This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.

Credits

Thank you lio346 from Unit 515 of OPSWAT for reporting this!

🚨 Rails has possible Sensitive Session Information Leak in Active Storage

Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends a Set-Cookie header along with the user's
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0
Not affected: < 5.2.0, > 7.1.0
Fixed Versions: 7.0.8.1, 6.1.7.7

Impact

A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Credits

Thanks to tyage for reporting this!

🚨 Rails has possible Sensitive Session Information Leak in Active Storage

Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends a Set-Cookie header along with the user's
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0
Not affected: < 5.2.0, > 7.1.0
Fixed Versions: 7.0.8.1, 6.1.7.7

Impact

A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Credits

Thanks to tyage for reporting this!

🚨 Possible code injection vulnerability in Rails / Active Storage

The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

🚨 Possible code injection vulnerability in Rails / Active Storage

The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

🚨 Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

🚨 ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

See the full diff on Github. The new version differs by 24 commits:

• Release 3.3.0
• Merge pull request #24 from casperisfine/update-ci
• File.exists? -> File.exist?
• Update CI configuration and gemspec
• Merge pull request #23 from Earlopain/ci-update
• Add Ruby 3.1-3.3 to CI
• Update readme and gemspec to point to rails/builder repo
• Merge pull request #9 from timkrins/patch-2
• Merge pull request #14 from hosamaly/patch-1
• Merge pull request #15 from voxik/remove-blankslate
• Merge pull request #16 from voxik/gh-actions
• Merge pull request #19 from kbrock/chmod
• Merge pull request #20 from kbrock/pr/64
• Merge pull request #21 from kbrock/pr/63
• Updated comments which are incorrect.
• Fix spelling mistake in example
• remove exec but from rdoc
• Drop Travis configuration.
• Setup GitHub actions.
• Use BasicObject instead of BlankSlate
• Update the changelog for v3.2.4
• Merge pull request #8 from orien/gem-metadata
• Add project metadata to the gemspec
• Fix spelling mistake

1.3.6

What's Changed

• Run tests without the C extension in CI by @eregon in #1081
• Fix typo in Promise docs by @danieldiekmeier in #1083
• Correct word in readme by @wwahammy in #1084
• Fix mistakes in MVar documentation by @trinistr in #1087
• Fix multi require concurrent/executor/cached_thread_pool by @OuYangJinTing in #1085
• Use typed data APIs by @nobu in #1096
• Add Joshua Young to the list of maintainers by @eregon in #1097
• Asynchronous pruning for RubyThreadPoolExecutor by @joshuay03 in #1082
• Mark RubySingleThreadExecutor as a SerialExecutorService by @meineerde in #1070
• Allow TimerTask to be safely restarted after shutdown and avoid duplicate tasks by @bensheldon in #1001
• Flaky test fix: allow ThreadPool to shutdown before asserting completed_task_count by @bensheldon in #1098
• ThreadPoolExecutor#kill will wait_for_termination in JRuby; ensure TimerSet timer thread shuts down cleanly by @bensheldon in #1044

New Contributors

• @danieldiekmeier made their first contribution in #1083
• @wwahammy made their first contribution in #1084
• @trinistr made their first contribution in #1087
• @OuYangJinTing made their first contribution in #1085
• @nobu made their first contribution in #1096
• @joshuay03 made their first contribution in #1082

Full Changelog: v1.3.5...v1.3.6

1.3.5

What's Changed

• Remove dependency on logger by @eregon in #1062
• Avoid error when member is present on ancestor class by @francesmcmullin in #1068
• Set rake-compiler source and target to Java 8 by @headius in #1071
• chore: fix typos by @chenrui333 in #1076

New Contributors

• @francesmcmullin made their first contribution in #1068
• @chenrui333 made their first contribution in #1076

Full Changelog: v1.3.4...v1.3.5

1.3.4

What's Changed

• Update comment for JRuby variant of processor_count to reality by @meineerde in #1054
• Add Concurrent.cpu_requests that is cgroups aware. by @heka1024 in #1058
• Fix the doc of Concurrent.available_processor_count by @y-yagi in #1059
• Fix the return value of Concurrent.available_processor_count when cpu.cfs_quota_us is -1 by @y-yagi in #1060

New Contributors

• @heka1024 made their first contribution in #1058
• @y-yagi made their first contribution in #1059

Full Changelog: v1.3.3...v1.3.4

1.3.3

What's Changed

• Improve speed for windows Get-CimInstance by @Earlopain in #1053

Full Changelog: v1.3.2...v1.3.3

1.3.2

What's Changed

• Fix method name in CHANGELOG.md by @nertzy in #1049
• Remove dependency on win32ole by @Earlopain in #1051

New Contributors

• @nertzy made their first contribution in #1049
• @Earlopain made their first contribution in #1051

Full Changelog: v1.3.1...v1.3.2

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

• Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
• Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

• @dependabot made their first contribution in #1028
• @kkohrt made their first contribution in #1037

Full Changelog: v1.2.3...v1.3.1

1.2.3

What's Changed

• Fix TimerTask :execution_interval docs by @freemanoid in #994
• Fix TimerTask docs to not refer to #execute as "blocking" by @bensheldon in #996
• Fix TimerTask example output by @bensheldon in #1003
• Fix broken CI due to rake-compiler error on Ruby < 2.6 by @mattbrictson in #1007
• Fix doc typo: yeild → yield by @mattbrictson in #1006
• Fix DaemonThreadFactory - reuse single Java thread factory by @obulkin in #1009
• Fix sporadic failures testing with JRuby by @headius in #1012
• Allow TimerSet to safely handle an executor raising RejectedExecutionError by @bensheldon in #999
• Use executor from arg in then_on/rescue_on/chain_on for Promises by @tgwizard in #1005
• Allow TimerTask to be initialized with a specified Executor by @bensheldon in #1000
• Create method ThreadPoolExecutor#active_count to expose the number of threads that are actively executing tasks by @bensheldon in #1002
• Drop dependency on mutex_m by @casperisfine in #1013
• Fix compile error on FreeBSD 14 by @janbiedermann in #1014
• Fix spurious return in Promises#wait_until_resolved by @eregon in #1016
• Remove AtomicReferenceMapBackend and CheapLockable by @eregon in #1018
• Add Ruby 3.3 in CI by @eregon in #1021
• docs: fix typo in throttle docs by @G-Rath in #1024
• docs: update promises grammar by @G-Rath in #1026
• Add TimerTask#interval_type option to configure interval calculation by @bensheldon in #997

New Contributors

• @freemanoid made their first contribution in #994
• @bensheldon made their first contribution in #996
• @mattbrictson made their first contribution in #1007
• @obulkin made their first contribution in #1009
• @headius made their first contribution in #1012
• @tgwizard made their first contribution in #1005
• @janbiedermann made their first contribution in #1014
• @G-Rath made their first contribution in #1024

Full Changelog: v1.2.2...v1.2.3

1.2.2

concurrent-ruby 1.2.2:

• (#993) Fix arguments passed to Concurrent::Map's default_proc.

1.2.1

concurrent-ruby 1.2.1:

• (#990) Add missing require 'fiber' for FiberLocalVar.
• (#989) Optimize Concurrent::Map#[] on CRuby by letting the backing Hash handle the default_proc.

1.2.0

concurrent-ruby 1.2.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#962) Fix ReentrantReadWriteLock to use the same granularity for locals as for Mutex it uses.
• (#983) Add FiberLocalVar
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#976) Let Promises.any_fulfilled_future take an Event
• Improve documentation of various classes
• (#972) Remove Rubinius-related code

concurrent-ruby-edge 0.7.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#972) Remove Rubinius-related code

1.1.10

concurrent-ruby:

• (#951) Set the Ruby compatibility version at 2.2
• (#939, #933) The caller_runs fallback policy no longer blocks reads from the job queue by worker threads
• (#938, #761, #652) You can now explicitly prune_pool a thread pool (Sylvain Joyeux)
• (#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso)
• (#932, #931) We changed how SafeTaskExecutor handles local jump errors (Aaron Jensen)
• (#927) You can use keyword arguments in your initialize when using Async (Matt Larraz)
• (#926, #639) We removed timeout from TimerTask because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen)
• (#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan)
• (#915) monotonic_time now accepts an optional unit parameter, as Ruby's clock_gettime (Jean Boussier)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

1.13.1 (from changelog)

* Avoid spurious frozen string literal warnings for chilled strings when using Ruby 3.4 (jeremyevans)

1.13.0 (from changelog)

* Define Erubi.h as a module function (jeremyevans)

* Add erubi/capture_block, supporting capturing block output via standard <%= and <%== tags (jeremyevans)

1.12.0 (from changelog)

* Use erb/escape for faster html escaping if available (jeremyevans)

* Default :freeze_template_literals option to false if running with --enable-frozen-string-literal (casperisfine) (#35)

1.11.0 (from changelog)

* Support :freeze_template_literals option for configuring whether to add .freeze to template literal strings (casperisfine) (#33)

* Support :chain_appends option for chaining appends to the buffer variable (casperisfine, jeremyevans) (#32)

* Avoid unnecessary defined? usage on Ruby 3+ when using the :ensure option (jeremyevans)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 42 commits:

• Bump version to 1.13.1
• Use -W:strict_unused_block when running tests on Ruby 3.4+
• Avoid spurious frozen string literal warnings on Ruby 3.4.0-preview2
• Bump version to 1.13.0
• Add erubi/capture_block to the gem
• Adjust nocov markers
• Define Erubi.h as a module function
• Add erubi/capture_block, supporting capturing block output via standard <%= and <%== tags
• Restructure tests to make it so the same basic tests can be used for multiple engines
• Add Ruby 3.3 to CI and bump actions/checkout to v4
• Switch from hanna-nouveau to hanna
• Stop testing Ruby 2.2 in CI as it no longer works with ubuntu-latest
• Move to actions/checkout@v3
• Limit rake gem restriction in CI to Ruby <2.4
• Add CI for Ruby 3.2
• Bump version to 1.12.0
• Add nocov markings around use of erb/escape
• Add mailing_list_uri to the gem metadata
• Use erb/escape for faster html escaping if available
• Avoid unused variable verbose warning on JRuby in test
• Test JRuby 9.4 in CI
• Update memory footprint comparison
• Update CHANGELOG
• Disable freeze_template_literals if `--enable-frozen-string-literal`
• Bump version to 1.11.0
• Fix tests, update documentation and CHANGELOG
• Add `freeze_template_literals` option to avoid String#freeze
• Add chain_appends option to simplify VM instructions (Fixes #32)
• Add space after semicolon in generated output
• Avoid unnecessary defined? usage on Ruby 3+ when using the :ensure option
• Add a test for no tags with frozen source
• Tighten CI permissions
• Test Ruby 3.1 in CI
• Run specs in verbose mode on Ruby 3+
• Try Ruby 1.9.3, 2.0, and JRuby 9.3 on GitHub Actions
• Extract default regexp to Constant
• Stop using Travis
• Bump copyright year
• Start testing on truffleruby, and simplify ci.yml
• Test on ruby 3.0
• RANGE_ALL is not in use since 4dc81c210664bfa244c6015bb3aa034b29f5a66f
• Use GitHub Actions CI for supported Ruby versions

🚨 ReDoS based DoS vulnerability in GlobalID

There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799.

Versions Affected: >= 0.2.1 Not affected: NOTAFFECTED Fixed Versions: 1.0.1
Impact

There is a possible DoS vulnerability in the model name parsing section of the GlobalID gem. Carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

1-0-model-name-redos.patch - Patch for 1.0 series

1.3.0

What's Changed

• Set required ruby version to 2.7.0 and up by @risen in #169
• Keep using URI RFC2396 parser by @voxik in #192
• Make DEFAULT_LOCATOR Configurable by @heka1024 in #179

New Contributors

• @risen made their first contribution in #169
• @biow0lf made their first contribution in #167
• @duffuniverse made their first contribution in #180
• @berkos made their first contribution in #170
• @elia made their first contribution in #195
• @Earlopain made their first contribution in #188
• @stevenharman made their first contribution in #173
• @voxik made their first contribution in #192
• @m-nakamura145 made their first contribution in #175
• @heka1024 made their first contribution in #179
• @tylerwillingham made their first contribution in #200

Full Changelog: v1.2.1...v1.3.0

1.2.0

What's Changed

• Drop support to Rails < 6.1 and Ruby <2.7 by @rafaelfranca in #153
• Don't show secrets for SignedGlobalID#inspect by @p8 in #160
• Allow for composite identifiers delimited by / by @nvasilevski in #163
• Add Eager Load Option by @rafacoello in #139

New Contributors

• @rafaelfranca made their first contribution in #153
• @p8 made their first contribution in #159
• @nvasilevski made their first contribution in #162
• @rafacoello made their first contribution in #139

Full Changelog: v1.1.0...v1.2.0

1.1.0

What's Changed

• URI::GID: Update #check_scheme, no need to call super by @alexcwatt in #146
• JSON-encode GlobalIDs as strings by @georgeclaghorn in #149
• Support pattern matching of GlobalID & GlobalID::URI by @ojab in #140
• prevent double find by @ooooooo-q in #148
• implement non signed global_id helper method on fixture set by @rainerborene in #144

New Contributors

• @daemonsy made their first contribution in #142
• @alexcwatt made their first contribution in #146
• @liijunwei made their first contribution in #150
• @ojab made their first contribution in #140
• @ooooooo-q made their first contribution in #148
• @rainerborene made their first contribution in #144

Full Changelog: v1.0.1...v1.1.0

1.0.1

Possible ReDoS based DoS vulnerability in GlobalID

There is a ReDoS based DoS vulnerability in the GlobalID gem. This
vulnerability has been assigned the CVE identifier CVE-2023-22799.

Versions Affected: >= 0.2.1
Not affected: NOTAFFECTED
Fixed Versions: 1.0.1

Impact

There is a possible DoS vulnerability in the model name parsing section of the
GlobalID gem. Carefully crafted input can cause the regular expression engine
to take an unexpected amount of time. All users running an affected release
should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Credits

Thank you ooooooo_k for reporting this!

1.0.0

Stable API release.

The code is the same as the 0.6.0 release.

0.6.0

• Add ActiveRecord::FixtureSet.signed_global_id helper to generate signed ids inside fixtures.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

🚨 Improper detection of disallowed URIs by Loofah `allowed_uri?`

Summary

Loofah::HTML5::Scrub.allowed_uri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as 
 (carriage return), 
 (line feed), or 	 (tab).

Details

The allowed_uri? method strips literal control characters before decoding HTML entities. Payloads like java
script:alert(1) survive the control character strip, then 
 is decoded to a carriage return, producing java\rscript:alert(1).

Note that the Loofah sanitizer's default sanitize() path is not affected because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the allowed_uri? string-level helper when passing HTML-encoded strings.

Impact

Applications that call Loofah::HTML5::Scrub.allowed_uri? to validate user-controlled URLs and then render approved URLs into href or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).

This only affects Loofah 2.25.0.

Mitigation

Upgrade to Loofah >= 2.25.1.

Credit

Responsibly reported by HackOne user @smlee.

🚨 Inefficient Regular Expression Complexity in Loofah

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
• https://hackerone.com/reports/1684163

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

🚨 Improper neutralization of data URIs may allow XSS in Loofah

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as Medium Severity 6.1.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg
• https://hackerone.com/reports/1694173
• #101

Credit

This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

🚨 Uncontrolled Recursion in Loofah

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-674: Uncontrolled Recursion (4.9)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

2.9.0

What's Changed

• Fix little typo by @nbennke in #1462
• 2.8.0.rc1 Regression: Preserve message-level charset when adding parts (related to Rails ActionMailer) by @johnnyshields in #1495
• Use Rake's default rakelib/ directory by @olleolleolle in #1488
• refactor: Use Dir.glob only once in gemspec's "files" directive by @olleolleolle in #1486
• Configure RSpec's zero-monkey patching mode by @olleolleolle in #1485
• Remove unnecessary gemfile dependency on strscan by @deivid-rodriguez in #1483
• README: sending multipart mail by @kapfenho in #1479
• Add delivery_interceptors method to Mail class to fetch registered interceptors by @ghousemohamed in #1475
• Update MIME-Version to have correct case per the RFC by @mikel in #1503
• Adding explicit JRuby support by @mikel in #1508
• refactor: Use Ruby 2's dir where possible by @olleolleolle in #1487
• [Corrected] Layout/TrailingWhitespace: Trailing whitespace detected. by @mikel in #1510
• Improve documentation by @fwolfst in #1371
• Span => Spam by @sebbASF in #1320
• use unpack1 by @ahorek in #1513
• Lazy-load fields and elements by @c960657 in #1491
• Install libyaml-dev for Psych by @c960657 in #1522
• Feature/parse lf by @sebbASF in #1520
• use match? by @ahorek in #1514
• Bump actions/checkout to v3 by @sebbASF in #1535
• Fix for #1527 by @sebbASF in #1534
• Standardise on WARNING: prefix by @sebbASF in #1533
• Checks are in the wrong place by @sebbASF in #1531
• Allow manual trigger by @sebbASF in #1524
• Handle parsing of LF-only body with separate parts by @mikel in #1511
• Make activesupport gem optional by @sebbASF in #1532
• SMTP: refactor and accept starttls :always and :auto by @eval in #1536
• Adds Ruby 3.2 to the CI matrix by @petergoldstein in #1552
• Layout conventions are not the same as syntax by @sebbASF in #1558
• Don't shadow local variable by @sebbASF in #1318
• Revert PR #1495 because it is a dupe of #1470 by @johnnyshields in #1559
• Add Ruby 3.3 to CI matrix by @m-nakamura145 in #1595
• TruffleRuby is flaky by @sebbASF in #1599
• Use require_relative where possible by @eval in #1598
• Test string is 1 char short of 78 by @sebbASF in #1568
• Update documentation regarding errors array by @mikehale in #1605
• Fix all 'assigned but unused variable' warnings by @skipkayhil in #1551
• Fix IMAP search issues by @nevans in #1611
• Document SMTP TLS/STARTTLS settings (cherry-picked from 2.8 stable branch) by @nevans in #1613
• CI: Use checkout@v4 by @olleolleolle in #1616
• Drop unused "ad hoc" GH Actions workflow by @olleolleolle in #1615
• include rfc822 as attachments by @ahorek in #1389
• Address warning: URI::RFC3986_PARSER warnings by @yahonda in #1620
• Add logger as a dependency for Ruby 3.4 warnings by @yahonda in #1619
• Fix regression in content_type for text part after converted to multipart by @jeremyevans in #1330

New Contributors

• @nbennke made their first contribution in #1462
• @johnnyshields made their first contribution in #1495
• @kapfenho made their first contribution in #1479
• @ghousemohamed made their first contribution in #1475
• @petergoldstein made their first contribution in #1552
• @mikehale made their first contribution in #1605
• @skipkayhil made their first contribution in #1551

Full Changelog: 2.8.1...2.9.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

1.1.0

What's Changed

• Identify Sony and Canon raw images as subtypes of image/tiff by @afcapel in #89
• Fix frozen string literal warning in magic detection by @FrancescoK in #123
• Update tika definitions to latest version by @MarcelEeken in #114
• Fix detection of AV1 in WebM as video/webm by @alexandergitter in #104

New Contributors

• @afcapel made their first contribution in #89
• @FrancescoK made their first contribution in #123
• @MarcelEeken made their first contribution in #114
• @Mth0158 made their first contribution in #108
• @mark-young-atg made their first contribution in #105
• @alexandergitter made their first contribution in #104
• @rafaelfranca made their first contribution in #126

Full Changelog: v1.0.4...v1.1.0

1.0.4

What's Changed

• Regression fix: binary declared type should fall back to filename extension type by @jeremy in #99

Full Changelog: v1.0.3...v1.0.4

1.0.3

What's Changed

• Prefer audio/ogg instead of audio/vorbis by @gmcgibbon in #65
• Suppress warning by @wonda-tea-coffee in #69
• Add explanation of MimeType.for's handling of argument types by @elebow in #68
• tables.rb: Generate UTF-8 strings when possible. by @casperisfine in #70
• Remove comment strings from Tables::TYPE by @casperisfine in #71
• Store MIME parents in a distinct Hash by @casperisfine in #72
• Fix magic detection for HTML with <svg by @ursm in #74
• Update gem name in Gemfile by @elebow in #88
• Move to GitHub Actions by @hahmed in #82
• Add note in README how to extend detection of custom file types by @vipulnsward in #93
• Fix Illustrator detection as application/pdf instead of application/illustrator by @jeremy in #94

New Contributors

• @wonda-tea-coffee made their first contribution in #69
• @elebow made their first contribution in #68
• @casperisfine made their first contribution in #70
• @ursm made their first contribution in #74
• @hahmed made their first contribution in #82
• @vipulnsward made their first contribution in #93
• @jeremy made their first contribution in #94

Full Changelog: v1.0.2...v1.0.3

1.0.2

• Include Apache license in gem release. (a525d5b)
• Prefer audio/x-wav for WAV audio files. (#45)
• Prefer application/x-x509-ca-cert for Privacy-Enhanced Mail certificates. (#46)
• Prefer audio/flac for FLAC audio files. (#47)
• Prefer audio/aac for Advanced Audio Coding audio files. (#49)
• Prefer application/vnd.ms-access for Microsodt Access DB files. (#50)
• Support text/x-scss and text/x-sass stylesheets. (#52)
• Support encrypted Microsoft Access DB files. (#53)
• Prefer application/x-ole-storage for Microsoft Office files. (#54)
• Prefer text/markdown for Markdown files. (#55)
• Prefer audio/mpc for Musepack audio files. (#56)
• Support audio/webm audio files. (#58)
• Support image/avif images files. (#63)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by 18 commits:

• Update mime types from upstream and bump
• Version bump
• Handle MIME::Types differences on Windows
• Shim IO#pread when not supported
• Version bump
• Make the library fork safe and drop the mutex
• DB updates 2023-03-01T10:03:17Z (#49)
• Adds Ruby 3.2 to the CI matrix. Requires Ruby >= 2.6. (#48)
• DEV: Require ruby >= 2.5 (#46)
• DEV: Update gem description to match repo desc (#47)
• DB updates 2022-01-06T11:58:07Z (#45)
• Update CI config (#42)
• Add Ruby 3.0 to CI (#40)
• version bump
• DB updates 2021-10-01T10:15:26Z
• version bump and changelog
• DB updates 2021-08-01T10:14:51Z
• DEV: Allow recent versions of gems in development

2.8.9

2.8.9 / 2025-05-12

Ruby support

• Import only what's needed from cgi, for supporting Ruby 3.5. #160 @Earlopain

New Contributors

• @kenhys made their first contribution in #156
• @Earlopain made their first contribution in #160

Full Changelog: v2.8.8...v2.8.9

2.8.8

2.8.8 / 2024-11-14

Improved

• Raise an exception with a clear error message when xzcat is needed but is not installed. (#152) @flavorjones

2.8.7

2.8.7 / 2024-05-31

Added

• When setting the C compiler through the MiniPortile constructor, the preferred keyword argument is now :cc_command. The original :gcc_command is still supported. (#144 by @flavorjones)
• Add support for extracting xz-compressed tarballs on OpenBSD. (#141 by @postmodern)
• Add OpenBSD support to the experimental method MakeMakefile#mkmf_config. (#141 by @flavorjones)

Changed

• MiniPortileCMake now detects the C and C++ compiler the same way MiniPortile does: by examining environment variables, then using kwargs, then looking in RbConfig (in that order). (#144 by @flavorjones)
• GPG file verification error messages are captured in the raised exception. Previously these errors went to stderr. (#145 by @flavorjones)

2.8.6

2.8.6 / 2024-04-14

Added

• When using CMake on FreeBSD, default to clang's "cc" and "c++" compilers. (#139 by @mudge)

2.8.5

2.8.5 / 2023-10-22

Added

• New methods #lib_path and #include_path which point at the installed directories under ports. (by @flavorjones)
• Add config param for CMAKE_BUILD_TYPE, which now defaults to Release. (#136 by @Watson1978)

Experimental

Introduce experimental support for MiniPortile#mkmf_config which sets up MakeMakefile variables to properly link against the recipe. This should make it easier for C extensions to package third-party libraries. (by @flavorjones)

• With no arguments, will set up just $INCFLAGS, $libs, and $LIBPATH.
• Optionally, if provided a pkg-config file, will use that config to more precisely set $INCFLAGS, $libs, $LIBPATH, and $CFLAGS/$CXXFLAGS.
• Optionally, if provided the name of a static archive, will rewrite linker flags to ensure correct linkage.

Note that the behavior may change slightly before official support is announced. Please comment on #118 if you have feedback.

2.8.4

2.8.4 / 2023-07-18

• cmake: set CMAKE compile flags to configure cross-compilation similarly to autotools --host flag: SYSTEM_NAME, SYSTEM_PROCESSOR, C_COMPILER, and CXX_COMPILER. [#130] (Thanks, @stanhu!)

2.8.3

2.8.3 / 2023-07-18

Fixed

• cmake: only use MSYS/NMake generators when available. [#129] (Thanks, @stanhu!)

2.8.2

2.8.2 / 2023-04-30

Fixed

• Ensure that the source_directory option will work when given a Windows path to an autoconf directory. [#126]

2.8.1

2.8.1 / 2022-12-24

Fixed

• Support applying patches via git apply even when the working directory resembles a git directory. [#119] (Thanks, @h0tw1r3!)

2.8.0

2.8.0 / 2022-02-20

Added

• Support xz-compressed archives (recognized by an .xz file extension).
• When downloading a source archive, default open_timeout and read_timeout to 10 seconds, but allow configuration via open_timeout and read_timeout config parameters.

2.7.1

2.7.1 / 2021-10-20

Packaging

A test artifact that has been included in the gem was being flagged by some users' security scanners because it wasn't a real tarball. That artifact has been updated to be a real tarball. [#108]

2.7.0

2.7.0 / 2021-08-31

Added

The commands used for "make", "compile", and "cmake" are configurable via keyword arguments. [#107] (Thanks, @cosmo0920!)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

2.7.2 (from changelog)

• Modernize gem (list all authors, etc).
• Drop official support for Ruby 2.4.
• Fix JRuby release version.

2.7.1

What's Changed

• Update changes.md by @ioquatix in #311
• fix jruby warnings by @ahorek in #313
• Convert license to array of identifiers by @voxik in #312

Full Changelog: v2.7.0...v2.7.1

2.7.0

What's Changed

• Fix changelog_uri in gemspec metadata by @MaximeD in #303
• Fix license by @voxik in #309
• Convert NIO objects to TypedData API by @casperisfine in #310

New Contributors

• @MaximeD made their first contribution in #303
• @voxik made their first contribution in #309
• @casperisfine made their first contribution in #310

Full Changelog: v2.6.1...v2.7.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 53 commits:

• Bump patch version.
• Remove `tea.yaml`.
• Fix for `OpenSSL::SSL::SSLContext` `set_minmax_proto_version` removal. (#327)
• Update releases.
• Bump patch version.
• Mark as ractor-safe (#320)
• Update CI matrix. (#321)
• JRuby supports Java 8 and higher. Need to emit Java 8 classfile format (#317)
• Bump patch version.
• Don't build extensions twice :(
• Add tea.xyz constitution file.
• Fix JRuby release process.
• Bump patch version.
• Update changes.
• Remove 2.4 support from readme.
• Drop testing Ruby 2.4.
• Modernize gem.
• Relax dependency on `rake-compiler`.
• Update to `--release=9` for compiling java code.
• Bump patch version.
• Update release instructions.
• Convert license to array of identifiers (#312)
• fix jruby warnings (#313)
• Update changes.md
• Bump minor version.
• For some reason, I had to add `bake` as a direct dependency.
• Update changes.
• Convert NIO objects to TypedData API (#310)
• Fix license (#309)
• Fix changelog_uri in gemspec metadata (#303)
• Disable `bake-modernize` as it's not supported on Ruby v2.4.
• Bump patch version.
• Update copyrights/license & funding URI.
• Add bake-gem and bake-modernize for maintenance tasks.
• Don't update `io` which is subsequently stored. Retain the original. (#306)
• Resolve issue loading both nio and nio4r gems (#302)
• Avoid direct access to IO internals. (#301)
• Update changes.
• Remove codeql as it seems tricky to use without extra research.
• Prefer lower case.
• Create codeql.yml
• Fix conversion loses int precision using SIZET2NUM. (#297)
• Add more notes for building jruby package.
• Bump patch version.
• Fix order of OpenSSL require.
• Remove coveralls.
• Rework (VALUE* args) -> (VALUE arg) invalid function type. Fixes #287.
• Fix java 8 compatibility. (#292)
• Fix test workflow.
• Actions - remove Ubuntu-16.04, macOS to 11, add Ubuntu-22.04, Win 2022
• Add license file. Fixes #228, #282.
• allow missing `devkit`
• Add missing changelogs for v2.5.6 v2.5.7 v2.5.8

🚨 Nokogiri does not check the return value from xmlC14NExecute

Summary

Nokogiri's CRuby extension fails to check the return value from xmlC14NExecute in the method Nokogiri::XML::Document#canonicalize and Nokogiri::XML::Node#canonicalize. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.

JRuby is not affected, as the Java implementation correctly raises RuntimeError on canonicalization failure.

Mitigation

Upgrade to Nokogiri >= 1.19.1.

Severity

The maintainers have assessed this as Medium severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References).

Credit

This vulnerability was responsibly reported by HackerOne researcher d4d.

🚨 Nokogiri patches vendored libxml2 to resolve multiple CVEs

Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.

Impact and severity

CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

Affected Versions

• Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

Patched Versions

• Nokogiri >= 1.18.9

Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

References

• #3526
• https://nvd.nist.gov/vuln/detail/CVE-2025-6021
• https://nvd.nist.gov/vuln/detail/CVE-2025-6170
• https://nvd.nist.gov/vuln/detail/CVE-2025-49794
• https://nvd.nist.gov/vuln/detail/CVE-2025-49795
• https://nvd.nist.gov/vuln/detail/CVE-2025-49796

🚨 Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

• CVE-2025-32414
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
• CVE-2025-32415
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted
documents against trusted Schemas if they make use of xsd:keyref in combination with recursively
defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

🚨 Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

• CVE-2025-24855: Fix use-after-free of XPath context node
• CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

• "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"
• MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
• Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

CVE-2024-55549

• "Use-after-free related to excluded result prefixes"
• MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
• Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

🚨 Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

• CVE-2025-24928
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
• CVE-2024-56171
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

• 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
• 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
• 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

• CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  • patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

• 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
• 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
• 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
• 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
• 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
• 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

• CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  • patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

• 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
• 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
• 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
• 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
• 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
• 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

• CVE-2023-29469: Hashing of empty dict strings isn't deterministic
• CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
• Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.

Impact

No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

• [CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45) · Commits · GNOME / libxml2 · GitLab
• [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e) · Commits · GNOME / libxml2 · GitLab
• schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7) · Commits · GNOME / libxml2 · GitLab

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-252: Unchecked Return Value (4.9)
• CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

🚨 Update bundled libxml2 to v2.10.3 to resolve multiple CVEs

Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

• CVE-2022-2309
• CVE-2022-40304
• CVE-2022-40303

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.9.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.

Impact

libxml2 CVE-2022-2309

• CVSS3 score: Under evaluation
• Type: Denial of service
• Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.

libxml2 CVE-2022-40304

• CVSS3 score: Unspecified upstream
• Type: Data corruption, denial of service
• Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2

libxml2 CVE-2022-40303

• CVSS3 score: Unspecified upstream
• Type: Integer overflow
• Description: Integer overflows with XML_PARSE_HUGE

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0

References

• libxml2 release notes
• CVE-2022-2309
• CVE-2022-40304
• CVE-2022-40303

🚨 Nokogiri has vulnerable dependencies on libxml2 and libxslt

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 Nokogiri Improperly Handles Unexpected Data Type

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling #to_s or equivalent.

Credit

This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also address these same issues.

Impact

libxml2 CVE-2022-29824

• CVSS3 score:
  • Unspecified upstream
  • Nokogiri maintainers evaluate at 8.6 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Note that this is different from the CVSS assessed by NVD.
• Type: Denial of service, information disclosure
• Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

• libxml2 v2.9.14 release notes
• CVE-2022-29824
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

• Severity: High
• Type: CWE-787 Out of bounds write
• Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 Nokogiri Inefficient Regular Expression Complexity

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (ななおく).

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

• Severity: Medium
• Type: CWE-91 XML Injection (aka Blind XPath Injection)
• Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
• See also: GHSA-h65f-jvqw-m9fj

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

• Severity: High 7.5
• Type: CWE-400 Uncontrolled Resource Consumption
• Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
• See also: GHSA-9849-p7jc-9rmv

🚨 Nokogiri affected by zlib's Out-of-bounds Write vulnerability

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 Vulnerable dependencies in Nokogiri

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

• vendored libxml2 from v2.9.12 to v2.9.13
• vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

• libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
• libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

libxslt CVE-2021-30560

• CVSS3 score: 8.8 (High)
• Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

• As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
• Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
• Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false.

An analysis of these parse options:

• While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
• DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

1.8.0

What's Changed

• Generate jar to build gem by @nobu in #255
• Fix trivial typos by @ydah in #257
• Try to fix test failure with Ruby 3.3 by @hsbt in #260
• Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
• Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
• Add more grammars by @nurse in #222
• Exclude 2.5 on macos-latest by @nobu in #263
• Drop code for Ruby 1.6 by @nobu in #264
• Refactor command line options by @nobu in #265
• Change encode EUC-JP to UTF-8 by @ydah in #267
• Organize README.ja.rdoc by @ydah in #266
• Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
• Bump up v1.8.0 by @yui-knk in #268

New Contributors

• @ydah made their first contribution in #257
• @nurse made their first contribution in #222

Full Changelog: v1.7.3...v1.8.0

1.7.3

What's Changed

• Exclude CRuby extension from JRuby gem by @nobu in #244
• Fix for dummy rake/extensiontask.rb at ruby test-bundled-gems by @nobu in #245
• Fix jar file path by @nobu in #246
• Bump by @nobu in #247
• Add srcs target to prepare to build by @nobu in #248
• Make CI runnable for any push by @yui-knk in #249
• Check rake build on CI by @yui-knk in #250
• Bump up v1.7.3.pre.1 by @yui-knk in #251
• Fix locations of expect param in docs by @yui-knk in #252
• 'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb' by @yui-knk in #253
• Bump up v1.7.3 by @yui-knk in #254

Full Changelog: v1.7.2...v1.7.3

1.7.2

What's Changed

• Update parser.rb, fixed typo by @jwillemsen in #224
• Remove leading newline from on_error exception messages. by @zenspider in #226
• Add --frozen to add frozen_string_literals to top of generated files. by @zenspider in #225
• Update development dependency to avoid ruby 2.5 failures by @flavorjones in #228
• dep: pin development dependencies, and enable dependabot for gems by @flavorjones in #229
• Clean embedded pragmas by @nobu in #230
• Embed grammar file name into generated file by @yui-knk in #231
• Bump actions/checkout from 3 to 4 by @dependabot in #232
• Fix a typo by @yui-knk in #234
• Add "Release flow" to README.rdoc by @yui-knk in #235
• Prepare 1.7.2 by @nobu in #236
• Remove install guide by setup.rb by @yui-knk in #237
• Fix tiny typos by @makenowjust in #238
• Remove old checks by @nobu in #240
• Remove MANIFEST which was used by ancient extmk.rb by @nobu in #242
• Extract Racc::VERSION from racc/info.rb at extconf.rb by @nobu in #241
• Use prototype declarations by @nobu in #243
• Bump up v1.7.2 by @yui-knk in #239

New Contributors

• @makenowjust made their first contribution in #238

Full Changelog: v1.7.1...v1.7.2

1.7.1

What's Changed

• Use released version of test-unit-ruby-core by @hsbt in #220
• Fix place to specify rake-compiler version by @nobu in #223
• Embedded path by @nobu in #221

Full Changelog: v1.7.0...v1.7.1

1.7.0

What's Changed

• Update racc.ja document by @hsbt in #207
• Make racc Ractor compatible by @pocke in #167
• Get rid of anonymous eval calls by @casperisfine in #208
• Adds Ruby 3.2 to the CI matrix. by @petergoldstein in #209
• Improve actions by @hsbt in #211
• Exclude jruby-head on macOS by @flavorjones in #214
• Add a newline at EOF [ci skip] by @nobu in #215
• [DOC] Strip trailing spaces by @nobu in #216
• Add tests for sample dir and tweak samples by @hkdnet in #217
• Remove ErrorSymbolValue reference by @jeremyevans in #213
• Embed racc/info.rb too by @nobu in #218

New Contributors

• @petergoldstein made their first contribution in #209
• @hkdnet made their first contribution in #217
• @jeremyevans made their first contribution in #213

Full Changelog: v1.6.2...v1.7.0

1.6.2

What's Changed

• Fixed typo in racc.en.rhtml by @jwillemsen in #200
• Removed old Id tag by @jwillemsen in #204
• Removed old originalId in comment by @jwillemsen in #203
• Adjust Racc parser version with gem version. by @hsbt in #205

Full Changelog: v1.6.1...v1.6.2

1.6.1

What's Changed

• CI: Add JRuby 9.3, use bundler-cache by @olleolleolle in #173
• Fix names by @nobu in #178
• Update README.rdoc by @jwillemsen in #179
• s/RubyVM::JIT/RubyVM::MJIT/g by @k0kubun in #180
• ci: update to cover Ruby 3.1 by @flavorjones in #181
• Fix typo in sample/calc.y. by @simi in #184
• Added dependabot.yml for actions by @hsbt in #186
• Bump actions/checkout from 2 to 3 by @dependabot in #187
• [DOC] Remove stale Object::ParseError documentation by @nobu in #188
• Strip trailing spaces by @nobu in #189
• Fix flag to Regexp.new by @nobu in #191
• Fix documentation directory name in README by @okuramasafumi in #193
• Make racc test more flexible (for JRuby). by @enebo in #194
• Update racc.en.rhtml by @jwillemsen in #195
• Update README.rdoc by @jwillemsen in #196
• Update racc.gemspec by @jwillemsen in #197
• ci: update jruby versions and add truffleruby by @flavorjones in #198

New Contributors

• @jwillemsen made their first contribution in #179
• @k0kubun made their first contribution in #180
• @simi made their first contribution in #184
• @dependabot made their first contribution in #187
• @okuramasafumi made their first contribution in #193

Full Changelog: v1.6.0...v1.6.1

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

🚨 Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Summary

Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme (e.g. javascript:alert(1)), the generated index includes an anchor whose href attribute is exactly javascript:alert(1). Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by Rack::Directory.

Details

Rack::Directory renders directory entries using an HTML row template similar to:

<a href='%s'>%s</a>

The %s placeholder is populated directly with the file’s basename. If the basename begins with javascript:, the resulting HTML contains an executable JavaScript URL:

<a href='javascript:alert(1)'>javascript:alert(1)</a>

Because the value is inserted directly into the href attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.

Impact

If Rack::Directory is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with javascript:.

When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).

Mitigation

• Update to a patched version of Rack in which Rack::Directory prefixes generated anchors with a relative path indicator (e.g. ./filename).
• Avoid exposing user-controlled directories via Rack::Directory.
• Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
• Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.

HackerOne profile:
https://hackerone.com/thesmartshadow

GitHub account owner:
Ali Firas (@thesmartshadow)

🚨 Rack has a Directory Traversal via Rack:Directory

Summary

Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.

Details

In directory.rb, File.expand_path(File.join(root, path_info)).start_with?(root) does not enforce a path boundary. If the server root is /var/www/root, a path like /var/www/root_backup passes the check because it shares the same prefix, so Rack::Directory will list that directory also.

Impact

Information disclosure via directory listing outside the configured root when Rack::Directory is exposed to untrusted clients and a directory shares the root prefix (e.g., public2, www_backup).

Mitigation

• Update to a patched version of Rack that correctly checks the root prefix.
• Don't name directories with the same prefix as one which is exposed via Rack::Directory.

🚨 Rack has a Possible Information Disclosure Vulnerability

Summary

A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

Details

When Rack::Sendfile received untrusted x-sendfile-type or x-accel-mapping headers from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a "redirect" response to the proxy, prompting it to reissue a new internal request that was not subject to the proxy's access controls.

An attacker could exploit this by:

1. Setting a crafted x-sendfile-type: x-accel-redirect header.
2. Setting a crafted x-accel-mapping header.
3. Requesting a path that qualifies for proxy-based acceleration.

Impact

Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes.

This issue only affected systems meeting all of the following conditions:

• The application used Rack::Sendfile with a proxy that supports x-accel-redirect (e.g., Nginx).
• The proxy did not always set or remove the x-sendfile-type and x-accel-mapping headers.
• The application exposed an endpoint that returned a body responding to .to_path.

Mitigation

• Upgrade to a fixed version of Rack which requires explicit configuration to enable x-accel-redirect:

  use Rack::Sendfile, "x-accel-redirect"

• Alternatively, configure the proxy to always set or strip the headers (you should be doing this!):

  proxy_set_header x-sendfile-type x-accel-redirect;
  proxy_set_header x-accel-mapping /var/www/=/files/;

• Or in Rails applications, disable sendfile completely:

  config.action_dispatch.x_sendfile_header = nil

🚨 Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

Summary

Rack::Request#POST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.

Details

When handling non-multipart form submissions, Rack’s request parser performs:

form_vars = get_header(RACK_INPUT).read

Since read is called with no argument, the entire request body is loaded into a Ruby String. This occurs before query parameter parsing or enforcement of any params_limit. As a result, Rack applications without an upstream body-size limit can experience unbounded memory allocation proportional to request size.

Impact

Attackers can send large application/x-www-form-urlencoded bodies to consume process memory, causing slowdowns or termination by the operating system (OOM). The effect scales linearly with request size and concurrency. Even with parsing limits configured, the issue occurs before those limits are enforced.

Mitigation

• Update to a patched version of Rack that enforces form parameter limits using query_parser.bytesize_limit, preventing unbounded reads of application/x-www-form-urlencoded bodies.
• Enforce strict maximum body size at the proxy or web server layer (e.g., Nginx client_max_body_size, Apache LimitRequestBody).

🚨 Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

Summary

Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.

Details

While searching for the first boundary, the parser appends incoming data into a shared buffer (@sbuf.concat(content)) and scans for the boundary pattern:

@sbuf.scan_until(@body_regex)

If the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.

Impact

Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.

Mitigation

• Upgrade: Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per RFC 2046 § 5.1.1.
• Workarounds:
  • Limit total request body size at the proxy or web server level.
  • Monitor memory and set per-process limits to prevent OOM conditions.

🚨 Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)

Summary

Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

Details

While reading multipart headers, the parser waits for CRLFCRLF using:

@sbuf.scan_until(/(.*?\r\n)\r\n/m)

If the terminator never appears, it continues appending data (@sbuf.concat(content)) indefinitely. There is no limit on accumulated header bytes, so a single malformed part can consume memory proportional to the request body size.

Impact

Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected.

Mitigation

• Upgrade to a patched Rack version that caps per-part header size (e.g., 64 KiB).
• Until then, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx client_max_body_size).

🚨 Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Summary

Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).

Details

During multipart parsing, file parts are streamed to temporary files, but non-file parts are buffered into memory:

body = String.new  # non-file → in-RAM buffer
@mime_parts[mime_index].body << content

There is no size limit on these in-memory buffers. As a result, any large text field—while technically valid—will be loaded fully into process memory before being added to params.

Impact

Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected.

Mitigation

• Upgrade: Use a patched version of Rack that enforces a reasonable size cap for non-file fields (e.g., 2 MiB).
• Workarounds:
  • Restrict maximum request body size at the web-server or proxy layer (e.g., Nginx client_max_body_size).
  • Validate and reject unusually large form fields at the application level.

🚨 Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Summary

Rack::QueryParser in version < 2.2.18 enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended.

Details

The issue arises because Rack::QueryParser#check_query_string counts only & characters when determining the number of parameters, but the default separator regex DEFAULT_SEP = /[&;] */n splits on both & and ;. This mismatch means that queries using ; separators were not included in the parameter count, allowing params_limit to be bypassed.

Other safeguards (bytesize_limit and key_space_limit) still applied, but did not prevent this particular bypass.

Impact

Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector.

Rack::Request, the primary entry point for typical Rack applications, uses QueryParser in a safe way and does not appear vulnerable by default. As such, the severity is considered low, with the impact limited to edge cases where QueryParser is used directly.

Mitigation

• Upgrade to a patched version of Rack where both & and ; are counted consistently toward params_limit.
• If upgrading is not immediately possible, configure QueryParser with an explicit delimiter (e.g., &) to avoid the mismatch.
• As a general precaution, enforce query string and request size limits at the web server or proxy layer (e.g., Nginx, Apache, or a CDN) to mitigate excessive parsing overhead.

🚨 Rack session gets restored after deletion

Summary

When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.

Details

Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.

Impact

When using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.

Mitigation

• Update to the latest version of rack, or
• Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a logged_out flag, instead of deleting them, and check this flag on every request to prevent reuse, or
• Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.

Related

As this code was moved to rack-session in Rack 3+, see GHSA-9j94-67jr-4cqj for the equivalent advisory in rack-session (affecting Rack 3+ only).

🚨 Rack has an Unbounded-Parameter DoS in Rack::QueryParser

Summary

Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.

Details

The vulnerability arises because Rack::QueryParser iterates over each &-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.

Impact

An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted.

Mitigation

• Update to a version of Rack that limits the number of parameters parsed, or
• Use middleware to enforce a maximum query string size or parameter count, or
• Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies.

Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.

🚨 Local File Inclusion in Rack::Static

Summary

Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly.

Details

The vulnerability occurs because Rack::Static does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.

Impact

By exploiting this vulnerability, an attacker can gain access to all files under the specified root: directory, provided they are able to determine then path of the file.

Mitigation

• Update to the latest version of Rack, or
• Remove usage of Rack::Static, or
• Ensure that root: points at a directory path which only contains files which should be accessed publicly.

It is likely that a CDN or similar static file server would also mitigate the issue.

🚨 Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

Summary

Rack::Sendfile can be exploited by crafting input that includes newline characters to manipulate log entries.

Details

The Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.

Impact

This vulnerability can distort log files, obscure attack traces, and complicate security auditing.

Mitigation

• Update to the latest version of Rack, or
• Remove usage of Rack::Sendfile.

🚨 Possible Log Injection in Rack::CommonLogger

Summary

Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.

Details

When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.

Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.

Mitigation

• Update to the latest version of Rack.

🚨 Rack Header Parsing leads to Possible Denial of Service Vulnerability

Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 2-0-header-redos.patch - Patch for 2.0 series
• 2-1-header-redos.patch - Patch for 2.1 series
• 2-2-header-redos.patch - Patch for 2.2 series
• 3-0-header-redos.patch - Patch for 3.0 series

Credits

Thanks to svalkanov for reporting this and
providing patches!

🚨 Rack has possible DoS Vulnerability with Range Header

Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected: >= 1.3.0.
Not affected: < 1.3.0
Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the Rack::File middleware or the
Rack::Utils.byte_ranges methods (this includes Rails applications).

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 3-0-range.patch - Patch for 3.0 series
• 2-2-range.patch - Patch for 2.2 series

Credits

Thank you ooooooo_q for the report and
patch

🚨 Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

Summary

module Rack
  class MediaType
    SPLIT_PATTERN = %r{\s*[;,]\s*}

The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

PoC

A simple HTTP request with lots of blank characters in the content-type header:

request["Content-Type"] = (" " * 50_000) + "a,"

Impact

It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

🚨 Possible Denial of Service Vulnerability in Rack's header parsing

There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1

Impact

Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

Workarounds

Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

🚨 Rack has possible DoS Vulnerability in Multipart MIME parsing

There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

Impact

The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

A proxy can be configured to limit the POST body size which will mitigate this issue.

🚨 Denial of Service Vulnerability in Rack Content-Disposition parsing

There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series
2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series
2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series
3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series

🚨 Denial of service via header parsing in Rack

There is a possible denial of service vulnerability in the Range header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44570.

Versions Affected: >= 1.5.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.0.1
Impact

Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.0 series
2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.1 series
2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.2 series
3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 3.0 series

🚨 Denial of service via multipart parsing in Rack

There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Forbid-control-characters-in-attributes.patch - Patch for 2.0 series
2-1-Forbid-control-characters-in-attributes.patch - Patch for 2.1 series
2-2-Forbid-control-characters-in-attributes.patch - Patch for 2.2 series
3-0-Forbid-control-characters-in-attributes.patch - Patch for 3.0 series

🚨 Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.

Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.

Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:

use Rack::Lint

Or

use Rack::CommonLogger

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

Remove these middleware from your application

🚨 Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122.

Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability.

Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

But it also includes reading POST data from a Rack request object like this:

p request.POST # read POST data
p request.params # reads both query params and POST data

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

There are no feasible workarounds for this issue.

2.2.21 (from changelog)

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @alpaca-tc, @willnet, @krororo)

2.2.19 (from changelog)

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

2.2.16 (from changelog)

• Fix incorrect backport of optional CGI::Cookie support. (#2335, @jeremyevans)

2.2.15 (from changelog)

• Optional support for CGI::Cookie if not available. (#2327, #2333, @earlopain)

2.2.14 (from changelog)

Security

• CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

2.2.13 (from changelog)

Security

• CVE-2025-27610 Local file inclusion in Rack::Static.

2.2.12 (from changelog)

Security

• CVE-2025-27111 Possible Log Injection in Rack::Sendfile.

2.2.10 (from changelog)

• Fix compatibility issues with Ruby v3.4.0. (#2248, @byroot)

2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: v2.2.8...v2.2.8.1

2.2.7

What's Changed

• Correct the year number in the changelog by @kimulab in #2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @jeremyevans in #2071

New Contributors

• @kimulab made their first contribution in #2015

Full Changelog: v2.2.6.4...v2.2.7

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

2.2.0 (from changelog)

• Bug fixes:

  • Rack::Test::Cookie now parses cookie parameters using a case-insensitive approach (Guillaume Malette #349)

• Minor enhancements:

  • Arrays of cookies containing a blank cookie are now handled correctly when processing responses. (Martin Emde #343)
  • Rack::Test::UploadedFile no longer uses a finalizer for named paths to close and unlink the created Tempfile. Tempfile itself uses a finalizer to close and unlink itself, so there is no reason for Rack::Test::UploadedFile to do so (Jeremy Evans #338)

2.1.0 (from changelog)

• Breaking changes:

  • Digest authentication support, deprecated in 2.0.0, has been removed (Jeremy Evans #307)
  • requiring rack/mock_session, deprecated in 2.0.0, has been removed (Jeremy Evans #307)

• Minor enhancements:

  • The original_filename for Rack::Test::UploadedFile can now be set even if the content of the file comes from a file path (Stuart Chinery #314)
  • Add Rack::Test::Session#restore_state, for executing a block and restoring current state (last request, last response, and cookies) after the block (Jeremy Evans #316)
  • Make Rack::Test::Methods support default_host method similar to app, which will set the default host used for requests to the app (Jeremy Evans #317 #318)
  • Allow responses to set cookie paths not matching the current request URI. Such cookies will only be sent for paths matching the cookie path (Chris Waters #322)
  • Ignore leading dot for cookie domains, per RFC 6265 (Stephen Crosby #329)
  • Avoid creating empty multipart body if params is empty in Rack::Test::Session#env_for (Ryunosuke Sato #331)

2.0.2 (from changelog)

• Bug fixes:
  • Fix additional incompatible character encodings error when building uploaded bodies (Jeremy Evans #311)

2.0.1 (from changelog)

• Bug fixes:
  • Fix incompatible character encodings error when building uploaded file bodies (Jeremy Evans #308 #309)

2.0.0 (from changelog)

• Breaking changes:

  • Digest authentication support is now deprecated, as it relies on digest authentication support in rack, which has been deprecated (Jeremy Evans #294)
  • Rack::Test::Utils.build_primitive_part no longer handles array values (Jeremy Evans #292)
  • Rack::Test::Utils module methods other than build_nested_query and build_multipart are now private methods (Jeremy Evans #297)
  • Rack::MockSession has been combined into Rack::Test::Session, and remains as an alias to Rack::Test::Session, but to keep some backwards compatibility, Rack::Test::Session.new will accept a Rack::Test::Session instance and return it (Jeremy Evans #297)
  • Previously protected methods in Rack::Test::Cookie{,Jar} are now private methods (Jeremy Evans #297)
  • Rack::Test::Methods no longer defines build_rack_mock_session, but for backwards compatibility, build_rack_test_session will call build_rack_mock_session if it is defined (Jeremy Evans #297)
  • Rack::Test::Methods::METHODS is no longer defined (Jeremy Evans #297)
  • Rack::Test::Methods#_current_session_names has been removed (Jeremy Evans #297)
  • Headers used/accessed by rack-test are now lower case, for rack 3 compliance (Jeremy Evans #295)
  • Frozen literal strings are now used internally, which may break code that mutates static strings returned by rack-test, if any (Jeremy Evans #304)

• Minor enhancements:

  • rack-test now works with the rack main branch (what will be rack 3) (Jeremy Evans #280 #292)
  • rack-test only loads the parts of rack it uses when running on the rack main branch (what will be rack 3) (Jeremy Evans #292)
  • Development dependencies have been significantly reduced, and are now a subset of the development dependencies of rack itself (Jeremy Evans #292)
  • Avoid creating multiple large copies of uploaded file data in memory (Jeremy Evans #286)
  • Specify HTTP/1.0 when submitting requests, to avoid responses with Transfer-Encoding: chunked (Jeremy Evans #288)
  • Support :query_params in rack environment for parameters that are appended to the query string instead of used in the request body (Jeremy Evans #150 #287)
  • Reduce required ruby version to 2.0, since tests run fine on Ruby 2.0 (Jeremy Evans #292)
  • Support :multipart env key for request methods to force multipart input (Jeremy Evans #303)
  • Force multipart input for request methods if content type starts with multipart (Jeremy Evans #303)
  • Improve performance of Utils.build_multipart by using an append-only design (Jeremy Evans #304)
  • Improve performance of Utils.build_nested_query for array values (Jeremy Evans #304)

• Bug fixes:

  • The CONTENT_TYPE of multipart requests is now respected, if it starts with multipart/ (Tom Knig #238)
  • Work correctly with responses that respond to to_a but not to_ary (Sergio Faria #276)
  • Raise an ArgumentError instead of a TypeError when providing a StringIO without an original filename when creating an UploadedFile (Nuno Correia #279)
  • Allow combining both an UploadedFile and a plain string when building a multipart upload (Mitsuhiro Shibuya #278)
  • Fix the generation of filenames with spaces to use path escaping instead of regular escaping, since path unescaping is used to decode it (Muir Manders, Jeremy Evans #275 #284)
  • Rewind tempfile used for multipart uploads before it is submitted to the application (Jeremy Evans, Alexander Dervish #261 #268 #286)
  • Fix Rack::Test.encoding_aware_strings to be true only on rack 1.6+ (Jeremy Evans #292)
  • Make Rack::Test::CookieJar#valid? return true/false (Jeremy Evans #292)
  • Cookies without a domain attribute no longer are submitted to requests for subdomains of that domain, for RFC 6265 compliance (Jeremy Evans #292)
  • Increase required rack version to 1.3, since tests fail on rack 1.2 and below (Jeremy Evans #293)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

2.3.0

What's Changed

• Add assert_not_dom, refute_dom, assert_not_select, refute_select & refute_dom_equal by @joshuay03 in #113
• Raise an error when given a block with a 0 element assertion by @joshuay03 in #116
• Raise an error when provided an invalid Range, or invalid :minimum and :maximum by @joshuay03 in #115
• assert_dom :text collapses whitespace by @jyeharry in #123

New Contributors

• @joshuay03 made their first contribution in #113
• @m-nakamura145 made their first contribution in #118
• @jyeharry made their first contribution in #122

Full Changelog: v2.2.0...v2.3.0

2.2.0

What's Changed

• Allow user to choose the HTML parser used by @flavorjones in #109
• Fix string substitution regression by @nicoco007 in #110

New Contributors

• @nicoco007 made their first contribution in #110

Full Changelog: v2.1.1...v2.2.0

2.1.1

What's Changed

• Fix issue when application isn't using minitest.

Full Changelog: v2.1.0...v2.1.1

2.1.0

What's Changed

• Address warning: mismatched indentations at 'when' with 'case' by @yahonda in #74
• Make assert_dom_equal ignore insignificant whitespace when walking the node tree by @jduff in #84
• Expand Substitution Matching Types support by @seanpdoyle in #90
• Alias assert_select methods to assert_dom versions by @seanpdoyle in #93
• Raise an error if the last arg is the wrong format by @ghiculescu in #96
• Fix replacement for multiple substitutions by @speckins in #76
• Better error message if response.body is blank or not parseable by Nokogiri by @ghiculescu in #97
• selector_assertions/html_selector: No trailing . on content_mismatch by @issyl0 in #102
• Use Minitest::Assertion#diff for content failure messages by @flavorjones in #106

New Contributors

• @nicolasleger made their first contribution in #73
• @yahonda made their first contribution in #74
• @dependabot made their first contribution in #79
• @jduff made their first contribution in #86
• @amatsuda made their first contribution in #88
• @seanpdoyle made their first contribution in #90
• @ghiculescu made their first contribution in #96
• @jbampton made their first contribution in #95
• @speckins made their first contribution in #76
• @issyl0 made their first contribution in #102
• @flavorjones made their first contribution in #103

Full Changelog: v2.0.3...v2.1.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "noscript" element is explicitly allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["noscript"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["noscript"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["noscript"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["noscript"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["noscript"]

All users overriding the allowed tags by any of the above mechanisms to include "noscript" should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "noscript" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2509647

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou) and taise.

🚨 rails-html-sanitize has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8.

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways:

• allow both "math" and "style" elements
• or allow both "svg" and "style" elements

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "style"] %>
<%# or %>
<%= sanitize @comment.body, tags: ["svg", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]
# or
Rails::HTML5::SafeListSanitizer.allowed_tags = ["svg", "style"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
# or
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["math", "style"]
# or
ActionText::ContentHelper.allowed_tags = ["svg", "style"]

All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "style" from the overridden allowed tags,
• Or, remove "math" and "svg" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information)
• Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2503220

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou) and taise.

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "math" and "style" elements are both explicitly allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["math", "style"]

All users overriding the allowed tags by any of the above mechanisms to include both "math" and "style" should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "math" or "style" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2519941

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou) and taise.

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "math", "mtext", "table", and "style" elements are allowed
• and either "mglyph" or "malignmark" are allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow all of these elements except for "table". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "mtext", "table", "style", "mglyph"]
# or
config.action_view.sanitized_allowed_tags = ["math", "mtext", "table", "style", "malignmark"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "mtext", "table", "style", "mglyph"] %>
<%# or %>
<%= sanitize @comment.body, tags: ["math", "mtext", "table", "style", "malignmark"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "mtext", "table", "style", "mglyph"]
# or
Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "mtext", "table", "style", "malignmark"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "mtext", "table", "style", "mglyph"])
# or
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "mtext", "table", "style", "malignmark"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["math", "mtext", "table", "style", "mglyph"]
# or
ActionText::ContentHelper.allowed_tags = ["math", "mtext", "table", "style", "malignmark"]

All users overriding the allowed tags by any of the above mechanisms to include ("math" and "mtext" and "table" and "style" and ("mglyph" or "malignmark")) should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "mglyph" and "malignmark" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2519936

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou) and taise.

🚨 rails-html-sanitizer has XSS vulnerability with certain configurations

Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

• Versions affected: 1.6.0
• Not affected: < 1.6.0
• Fixed versions: 1.6.1

Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

• the "style" element is explicitly allowed
• the "svg" or "math" element is not allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options.

The default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags:

# class-level option
Rails::HTML5::SafeListSanitizer.allowed_tags = ["style"]

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

4. using a :tags options to the Rails::HTML5::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["style"])

(note that this class may also be referenced as Rails::Html::SafeListSanitizer)

5. setting ActionText::ContentHelper module attribute allowed_tags:

ActionText::ContentHelper.allowed_tags = ["style"]

All users overriding the allowed tags by any of the above mechanisms to include "style" and omit "svg" or "math" should either upgrade or use one of the workarounds.

Workarounds

Any one of the following actions will work around this issue:

• Remove "style" from the overridden allowed tags,
• Or, downgrade sanitization to HTML4 (see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information).

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• Original report: https://hackerone.com/reports/2519936

Credit

This vulnerability was responsibly reported by So Sakaguchi (mokusou) and taise.

🚨 Inefficient Regular Expression Complexity in rails-html-sanitizer

Summary

Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to rails-html-sanitizer >= 1.4.4.

Severity

The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
• https://hackerone.com/reports/1684163

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

🚨 Improper neutralization of data URIs may allow XSS in rails-html-sanitizer

Summary

rails-html-sanitizer >= 1.0.3, < 1.4.4 is vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0.

Mitigation

Upgrade to rails-html-sanitizer >= 1.4.4.

Severity

The maintainers have evaluated this as Medium Severity 6.1.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg
• #135
• https://hackerone.com/reports/1694173

Credit

This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).

🚨 Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Summary

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

• Versions affected: ALL
• Not affected: NONE
• Fixed versions: 1.4.4

Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:

• allow both "math" and "style" elements,
• or allow both "svg" and "style" elements

Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:

1. using application configuration:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "style"] %>
<%# or %>
<%= sanitize @comment.body, tags: ["svg", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. using Rails::Html::SafeListSanitizer class method allowed_tags=:

# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"]
# or
Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"]

4. using a :tags options to the Rails::Html::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
# or
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])

All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.

Workarounds

Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• https://hackerone.com/reports/1656627

Credit

This vulnerability was responsibly reported by Dominic Breuker.

🚨 Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Summary

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.

• Versions affected: ALL
• Not affected: NONE
• Fixed versions: 1.4.4

Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.

Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:

1. Using the Rails configuration config.action_view.sanitized_allow_tags=:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]

(see https://guides.rubyonrails.org/configuring.html#configuring-action-view)

2. Using the class method Rails::Html::SafeListSanitizer.allowed_tags=:

# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]

All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.

NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms:

• the :tags option to the Action View helper method sanitize.
• the :tags option to the instance method SafeListSanitizer#sanitize.

Workarounds

Remove either "select" or "style" from the overridden allowed tags.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209
• https://hackerone.com/reports/1654310

Credit

This vulnerability was responsibly reported by Dominic Breuker.

🚨 Rails::Html::Sanitizer vulnerable to Cross-site Scripting

Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both select and style elements. Code is only impacted if allowed tags are being overridden.

This may be done via application configuration: ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

Or it may be done with a :tags option to the Action View helper sanitize: <%= sanitize @comment.body, tags: ["select", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

It may also be done with Rails::Html::SafeListSanitizer directly:
ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"] or with
ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])

All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either select or style from the overridden allowed tags.

1.7.0

v1.7.0 / 2026-02-24

• Add Rails::HTML::Sanitizer.allowed_uri? which delegates to Loofah::HTML5::Scrub.allowed_uri?,
  allowing the Rails framework to check URI safety without a direct dependency on Loofah.

  The minimum Loofah dependency is now ~> 2.25.

  Mike Dalessio @flavorjones

1.6.2

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
  introduced a regression for applications passing a frozen array of allowed tags. Tags and
  attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
  regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the
  gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
  the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
  are removed from the allow-list.

  The CVEs addressed by this change are:

  • CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
  • CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a future release. We do not
  expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
  for these tags.

  Mike Dalessio

• Improve performance by eliminating needless operations on attributes that are being removed. #188

  Mike Dalessio

1.6.0

1.6.0 / 2023-05-26

• Dependencies have been updated:

  • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
  • As a result, required Ruby version is now >= 2.7.0

  Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1
  (which supports Ruby 2.5) is still in security support.

  Mike Dalessio

• HTML5 standards-compliant sanitizers are now available on platforms supported by
  Nokogiri::HTML5. These are available as:

  • Rails::HTML5::FullSanitizer
  • Rails::HTML5::LinkSanitizer
  • Rails::HTML5::SafeListSanitizer

  And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version
  of Rails.

  Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical
  to the vendor class methods on Rails::HTML::Sanitizer.

  Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's
  supported, else the legacy HTML4 vendor.

  Mike Dalessio

• Module namespaces have changed, but backwards compatibility is provided by aliases.

  The library defines three additional modules:

  • Rails::HTML for general functionality (replacing Rails::Html)
  • Rails::HTML4 containing sanitizers that parse content as HTML4
  • Rails::HTML5 containing sanitizers that parse content as HTML5

  The following aliases are maintained for backwards compatibility:

  • Rails::Html points to Rails::HTML
  • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
  • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
  • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

  Mike Dalessio

• LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer
  already ensured this encoding.

  Mike Dalessio

• SafeListSanitizer allows time tag and lang attribute by default.

  Mike Dalessio

• The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not necessary with the
  existing sanitizers, and should have been a private constant all along anyway.

  Mike Dalessio

1.5.0

1.5.0 / 2023-01-20

• SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags.

  By default, unsafe tags are still stripped, but this behavior can be changed to prune the element
  and its children from the document by passing prune: true to any of these classes' constructors.

  @seyerian

1.4.4

1.4.4 / 2022-12-13

• Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.

  Mike Dalessio

• Address improper sanitization of data URIs.

  Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

  Mike Dalessio

1.4.3

1.4.3 / 2022-06-09

• Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Prevent the combination of select and style as allowed tags in SafeListSanitizer.

  Fixes CVE-2022-32209

  Mike Dalessio

1.4.2

1.4.2 / 2021-08-23

• Slightly improve performance.

  Assuming elements are more common than comments, make one less method call per node.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 8.1.3 release
• Merge branch '8-1-sec' into 8-1-stable

13.3.1

What's Changed

• Remove useless condition check by @DormancyWang in #636
• Added document for RAKEOPT by @hsbt in #639
• lewagon/wait-on-check-action didn't need bot token by @hsbt in #642
• Fixed wrong name of environmental variable by @hsbt in #643
• The old Ruby version of Windows is broken by @hsbt in #647
• Avoid to use it by @hsbt in #650
• Fixed assertion result with the latest stable version of JRuby by @hsbt in #655
• Fixup test_load_error_raised_implicitly with JRuby by @hsbt in #657
• Set source_code_uri metadata to this gem's public repo URL by @amatsuda in #662
• Fix TaskArguments#deconstruct_keys with keys = nil by @nevans in #635
• refactor: only include lib in $LOAD_PATH if not included yet by @pvdb in #610
• silence warnings during execution of rake tasks in Rakefile (ex: rake test) by @luke-gru in #483

New Contributors

• @DormancyWang made their first contribution in #636
• @amatsuda made their first contribution in #662
• @nevans made their first contribution in #635
• @luke-gru made their first contribution in #483

Full Changelog: v13.3.0...v13.3.1

13.3.0

What's Changed

• Add missing changelog by @VitaliySerov in #555
• Exclude 2.3-2.5 on macos-14 iamge by @hsbt in #563
• Use require_relative in the Rake codebase by @koic in #566
• Provide a 'Changelog' link on rubygems.org/gems/rake by @mark-young-atg in #572
• Remove dependency on win32ole by @Earlopain in #573
• Switch changelog_uri to releases tab by @fynsta in #577
• chore: refactor/reformat the heredocs (in tests) ... by @pvdb in #589
• chore: remove $trace global variable / option by @pvdb in #592
• Link to Jim's last rake commit (not the git tree with that SHA) by @pvdb in #593
• chore: refactor how temporary files are created (in tests) by @pvdb in #590
• refactor: use $LOADED_FEATURES built-in instead of $" by @pvdb in #605
• refactor: remove "exposed" @system_dir instance variable (in helper method) by @pvdb in #604
• refactor: simplify Rake::Application#system_dir method by @pvdb in #591
• Remove unused argument by @takmar in #623
• Use latest RDoc release instead of Ruby 3.2's default version by @st0012 in #630
• Enabled trusted publisher for rubygems.org by @hsbt in #634
• refactor: use Dir.home to find rake's standard system dir by @pvdb in #608
• Fix RDoc links in Rake Information section by @komagata in #627
• refactor: move dependency requires to ruby_runner.rb file by @pvdb in #609
• Pattern matching support for arguments by @rgarner in #515

New Contributors

• @VitaliySerov made their first contribution in #555
• @koic made their first contribution in #566
• @mark-young-atg made their first contribution in #572
• @Earlopain made their first contribution in #573
• @fynsta made their first contribution in #577
• @takmar made their first contribution in #623
• @st0012 made their first contribution in #630
• @komagata made their first contribution in #627
• @rgarner made their first contribution in #515

Full Changelog: v13.2.1...v13.3.0

13.2.1

What's Changed

• Suppressed "internal:array:52:in 'Array#each'" from backtrace by @hsbt in #554
• Bump actions/configure-pages from 4 to 5 by @dependabot in #553

Full Changelog: v13.2.0...v13.2.1

13.2.0

What's Changed

• Fix rule example to be correct by @zenspider in #525
• Switch to use test-unit by @hsbt in #536
• Removed redundant block by @hsbt in #537
• Use Struct instead of OpenStruct. by @hsbt in #545
• Accept FileList object as directory task's target by @gemmaro in #530
• Fix exception when exception has nil backtrace by @janbiedermann in #451
• Add TruffleRuby on CI by @andrykonchin in #551

New Contributors

• @zenspider made their first contribution in #525
• @gemmaro made their first contribution in #530
• @janbiedermann made their first contribution in #451
• @andrykonchin made their first contribution in #551

Full Changelog: v13.1.0...v13.2.0

13.1.0

What's Changed

• Added dependabot.yml for actions by @hsbt in #416
• Add Ruby 3.1 to the CI matrix by @petergoldstein in #415
• (Performance) Remove unnecessary I/O syscalls for FileTasks by @da2x in #393
• Skip test failure with JRuby by @hsbt in #418
• Bump actions/checkout from 2 to 3 by @dependabot in #417
• Remove bin/rdoc by @tnir in #421
• Remove bin/rake by @tnir in #422
• Remove bin/bundle by @tnir in #425
• Apply RuboCop linting for Ruby 2.3 by @tnir in #423
• Update rubocop to work with Ruby 2.4 compatible by @tnir in #424
• chore: fix typo in comments by @tnir in #429
• Use 'test' as workflow name on Actions by @tnir in #427
• docs: update CONTRIBUTING.rdoc by @tnir in #428
• Add RuboCop job to Actions by @tnir in #426
• Lock minitest-5.15.0 for Ruby 2.2 by @hsbt in #442
• Eagerly require set in thread_pool.rb by @jeremyevans in #440
• Avoid creating an unnecessary thread pool by @jeremyevans in #441
• Add credit for maintenance in Rake 12/13 by @tnir in #443
• Sh fully echoes commands which error exit by @MarkDBlackwell in #147
• Correct RuboCop offenses by @deivid-rodriguez in #444
• [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #450
• Bump ruby/setup-ruby from 1.126.0 to 1.127.0 by @dependabot in #453
• Bump actions/checkout from 3.1.0 to 3.2.0 by @dependabot in #454
• Bump ruby/setup-ruby from 1.127.0 to 1.131.0 by @dependabot in #457
• Add ruby 3.2 to test matrix by @hanneskaeufler in #458
• Bump ruby/setup-ruby from 1.131.0 to 1.133.0 by @dependabot in #459
• Bump actions/checkout from 3.2.0 to 3.3.0 by @dependabot in #463
• Bump ruby/setup-ruby from 1.133.0 to 1.133.1 by @dependabot in #462
• Bump ruby/setup-ruby from 1.133.1 to 1.133.2 by @dependabot in #464
• Bump ruby/setup-ruby from 1.133.2 to 1.134.0 by @dependabot in #466
• Missing 'do' on example by @zzak in #467
• Try to use dependabot automerge by @hsbt in #470
• Rewrite auto-merge feature for dependabot by @hsbt in #471
• Bump ruby/setup-ruby from 1.134.0 to 1.137.2 by @dependabot in #469
• Update bundler in Dependabot by @ono-max in #472
• Bump ruby/setup-ruby from 1.137.2 to 1.138.0 by @dependabot in #473
• Update minitest requirement from 5.15.0 to 5.17.0 by @dependabot in #474
• Fix grammar in help text by @mebezac in #381
• Try to use ruby/ruby/.github/workflows/ruby_versions.yml@master by @hsbt in #475
• Bump lewagon/wait-on-check-action from 1.2.0 to 1.3.1 by @dependabot in #476
• Use GitHub Pages Action for generating rdoc page by @hsbt in #477
• Bump ruby/setup-ruby from 1.138.0 to 1.143.0 by @dependabot in #478
• Update minitest requirement from 5.17.0 to 5.18.0 by @dependabot in #479
• Bump ruby/setup-ruby from 1.143.0 to 1.144.0 by @dependabot in #480
• Bump ruby/setup-ruby from 1.144.0 to 1.144.1 by @dependabot in #482
• Bump actions/deploy-pages from 1 to 2 by @dependabot in #481
• Bump ruby/setup-ruby from 1.144.1 to 1.144.2 by @dependabot in #484
• Update rubocop requirement from ~> 1.12.1 to ~> 1.48.1 by @dependabot in #485
• Bump ruby/setup-ruby from 1.144.2 to 1.145.0 by @dependabot in #487
• Update rubocop requirement from ~> 1.48.1 to ~> 1.49.0 by @dependabot in #488
• Support #detailed_message when task failed by @ksss in #486
• Debug at stop when task fail by @ksss in #489
• Drop to support Ruby 2.2 by @hsbt in #492
• Bump ruby/setup-ruby from 1.145.0 to 1.146.0 by @dependabot in #491
• Update rubocop requirement from ~> 1.49.0 to ~> 1.50.1 by @dependabot in #493
• Bump up setup-ruby by @hsbt in #497
• Bump ruby/setup-ruby from 1.148.0 to 1.149.0 by @dependabot in #498
• Update rubocop requirement from ~> 1.50.1 to ~> 1.51.0 by @dependabot in #499
• Bump ruby/setup-ruby from 1.149.0 to 1.150.0 by @dependabot in #500
• Update rubocop requirement from ~> 1.51.0 to ~> 1.52.0 by @dependabot in #502
• Bump ruby/setup-ruby from 1.150.0 to 1.151.0 by @dependabot in #503
• Update development dependencies by @hsbt in #505
• Bump ruby/setup-ruby from 1.151.0 to 1.152.0 by @dependabot in #506
• Bump actions/upload-pages-artifact from 1 to 2 by @dependabot in #508
• Bump actions/checkout from 3 to 4 by @dependabot in #513
• Bump ruby/setup-ruby from 1.152.0 to 1.153.0 by @dependabot in #514
• Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #516
• Bump ruby/setup-ruby from 1.153.0 to 1.154.0 by @dependabot in #517
• Bump ruby/setup-ruby from 1.154.0 to 1.155.0 by @dependabot in #518
• Bump ruby/setup-ruby from 1.155.0 to 1.156.0 by @dependabot in #519
• Bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #520
• Bump ruby/setup-ruby from 1.156.0 to 1.157.0 by @dependabot in #521

New Contributors

• @petergoldstein made their first contribution in #415
• @da2x made their first contribution in #393
• @dependabot made their first contribution in #417
• @tnir made their first contribution in #421
• @step-security-bot made their first contribution in #450
• @hanneskaeufler made their first contribution in #458
• @ono-max made their first contribution in #472
• @mebezac made their first contribution in #381
• @ksss made their first contribution in #486

Full Changelog: v13.0.6...v13.1.0