Search for packages
| purl | pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2 |
| Next non-vulnerable version | 2:7.2.3.1+dfsg-1 |
| Latest non-vulnerable version | 2:7.2.3.1+dfsg-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4tzv-1t1b-t3g3
Aliases: CVE-2026-33169 GHSA-cg4j-q9v8-6v38 |
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited ### Impact `NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-5tky-d2en-u7c7
Aliases: CVE-2026-33170 GHSA-89vf-4333-qx8v |
Rails Active Support has a possible XSS vulnerability in SafeBuffer#% ### Impact `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-96qr-hdbp-p7ff
Aliases: CVE-2026-33168 GHSA-v55j-83pf-r9cq |
Rails has a possible XSS vulnerability in its Action View tag helpers ### Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-a6z9-5n6k-2kak
Aliases: CVE-2026-33173 GHSA-qcfx-2mfw-w4cg |
Rails Active Storage has possible content type bypass via metadata in direct uploads ### Impact Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-ad6q-vtdf-syb6
Aliases: CVE-2026-33658 GHSA-p9fm-f462-ggrg |
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-hatd-vkun-13hj
Aliases: CVE-2026-33202 GHSA-73f9-jhhh-hr5m |
Rails Active Storage has possible glob injection in its DiskService ### Impact Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-qxe4-dubt-1kfp
Aliases: CVE-2026-33174 GHSA-r46p-8f7g-vvvg |
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests ### Impact When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-sarm-n22v-akcm
Aliases: CVE-2026-33176 GHSA-2j26-frm8-cmj9 |
Rails Active Support has a possible DoS vulnerability in its number helpers ### Impact Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-wpmk-wgpm-cuee
Aliases: CVE-2026-33195 GHSA-9xrj-h377-fr87 |
Rails Active Storage has possible Path Traversal in DiskService ### Impact Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3hur-esmy-x3hr | Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Impact ------ Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2 Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report! |
CVE-2024-47888
GHSA-wwhv-wxv9-rpgw |
| VCID-6pxd-xsaw-tuer | Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5 |
CVE-2023-38037
GHSA-cr5q-6q9f-rq6q |
| VCID-dd9p-x7k3-37ea | Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362. Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4 |
CVE-2023-28362
GHSA-4g8v-vg43-wpgf |
| VCID-g3rk-djae-pkeh | Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report! |
CVE-2024-54133
GHSA-vfm5-rmrh-j26v |
| VCID-n8r7-wthv-fqaj | Active Record RCE bug with Serialized Columns When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted. |
CVE-2022-32224
GHSA-3hhc-qp5v-9p2j GMS-2022-3029 |
| VCID-sfyc-jewr-wuf5 | Possible ReDoS vulnerability in HTTP Token authentication in Action Controller There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887. Impact ------ For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for reporting |
CVE-2024-47887
GHSA-vfg9-r3fq-jvx4 |
| VCID-sgdb-985e-4uej | Possible ReDoS vulnerability in query parameter filtering in Action Dispatch There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128. Impact ------ Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches! |
CVE-2024-41128
GHSA-x76w-6vjr-8xgj |
| VCID-sygb-mygd-s3gb | Duplicate This advisory duplicates another. |
CVE-2022-44566
GHSA-579w-22j4-4749 GMS-2023-59 |
| VCID-yy6t-ybeu-qycc | Possible ReDoS vulnerability in block_format in Action Mailer There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889. Impact ------ Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2 Credits ------- Thanks to yuki_osaki for the report! |
CVE-2024-47889
GHSA-h47h-mwp9-c6q6 |
| VCID-yzpx-3gam-y3bu | Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this! |
CVE-2025-24293
GHSA-r4mg-4433-c7g3 |
| VCID-zqzx-avvt-wkhm | Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability |
CVE-2025-55193
GHSA-76r7-hhxj-r776 |