VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-rnhy-e472-abcc

Essentials
Severities (19)
References (14)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-rnhy-e472-abcc
Aliases	CVE-2020-5217 GHSA-xq52-rv6w-397c
Summary	Directive injection when using dynamic overrides with user input ### Impact If user-supplied input was passed into `append/override_content_security_policy_directives`, a semicolon could be injected leading to directive injection. This could be used to e.g. override a `script-src` directive. Duplicate directives are ignored and the first one wins. The directives in `secure_headers` are sorted alphabetically so they pretty much all come before `script-src`. A previously undefined directive would receive a value even if `SecureHeaders::OPT_OUT` was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. > Duplicate script-src directives detected. All but the first instance will be ignored. See https://www.w3.org/TR/CSP3/#parse-serialized-policy > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was ignored. A console warning might be appropriate, for example. ### Patches Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0. ### Workarounds If you are passing user input into the above methods, you could filter out the input: ```ruby override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")]) ``` ### References Reported in https://github.com/twitter/secure_headers/issues/418 https://www.w3.org/TR/CSP3/#parse-serialized-policy ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repo](https://github.com/twitter/secure_headers/issues/new) * DM @ndm on twitter
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-94	Improper Control of Generation of Code ('Code Injection')

System	Score	Found at
cvssv3	5.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5217.json
epss	0.00521	https://api.first.org/data/v1/epss?cve=CVE-2020-5217
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-xq52-rv6w-397c
cvssv3.1	4.4	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5217.yml
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5217.yml
cvssv3.1	4.4	https://github.com/twitter/secure_headers
generic_textual	MODERATE	https://github.com/twitter/secure_headers
cvssv3.1	4.4	https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
generic_textual	MODERATE	https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
cvssv3.1	4.4	https://github.com/twitter/secure_headers/issues/418
generic_textual	MODERATE	https://github.com/twitter/secure_headers/issues/418
cvssv3.1	4.4	https://github.com/twitter/secure_headers/pull/421
generic_textual	MODERATE	https://github.com/twitter/secure_headers/pull/421
cvssv3	4.4	https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
cvssv3.1	4.4	https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
cvssv3.1_qr	MODERATE	https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
generic_textual	MODERATE	https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
cvssv3.1	4.4	https://nvd.nist.gov/vuln/detail/CVE-2020-5217
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2020-5217

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5217.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-5217
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5217
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5217.yml
		https://github.com/twitter/secure_headers
		https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
		https://github.com/twitter/secure_headers/issues/418
		https://github.com/twitter/secure_headers/pull/421
		https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
		https://nvd.nist.gov/vuln/detail/CVE-2020-5217
1801264		https://bugzilla.redhat.com/show_bug.cgi?id=1801264
949999		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949999
GHSA-xq52-rv6w-397c		https://github.com/advisories/GHSA-xq52-rv6w-397c
RHSA-2020:4366		https://access.redhat.com/errata/RHSA-2020:4366

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5217.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5217.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/twitter/secure_headers

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/twitter/secure_headers/issues/418

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/twitter/secure_headers/pull/421

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-5217

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.67137
EPSS Score	0.00521
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T09:10:35.788078+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-xq52-rv6w-397c/GHSA-xq52-rv6w-397c.json	38.6.0