⚠ Actively exploited
Added to CISA KEV on 2025-07-07. Federal agencies required to patch by 2025-07-28. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2019-5418

CWE-22Path TraversalCWE-200Information Exposure16 documents13 sources
Severity
7.5HIGH
EPSS
94.3%
top 0.05%
CISA KEV
KEV
Added 2025-07-07
Due 2025-07-28
Exploit
PoC available
Public exploit / PoC exists
Affected products
7
Rubyonrails RailsRails Https://github.com/rails/railsDebian Debian Linux+4 more
Timeline
PublishedMar 27
KEV addedJul 7
Latest updateJul 17
KEV dueJul 28
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

RubyGemsactionview5.2.05.2.2.1+3
NVDrubyonrails/rails3.0.04.2.11.1+3
Debianrails< 2:5.2.2.1+dfsg-1+3
Ubunturails< 2:4.2.6-1ubuntu0.1~esm2+1
NVDopensuse/leap15.0

Also affects: Debian Linux 8.0, Fedora 30

Patches

Patch: www.openwall.comPatch: weblog.rubyonrails.orgPatch: www.openwall.com

🔴Vulnerability Details

6
OSV
rails vulnerability2025-07-17
OSV
CVE-2019-5418: There is a File Content Disclosure vulnerability in Action View <52019-03-27
CVEList
CVE-2019-5418: There is a File Content Disclosure vulnerability in Action View <52019-03-27
OSV
Path Traversal in Action View2019-03-13
GHSA
Path Traversal in Action View2019-03-13

💥Exploits & PoCs

2
Exploit-DB
Rails 5.2.1 - Arbitrary File Content Disclosure2019-03-21
Nuclei
Rails File Content Disclosure

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt2019-03-19

📋Vendor Advisories

4
Ubuntu
Rails vulnerability2025-07-17
CISA
Rails Ruby on Rails Path Traversal Vulnerability2025-07-07
Red Hat
rubygem-actionpack: render file directory traversal in Action View2019-03-13
Debian
CVE-2019-5418: rails - There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6...2019

💬Community

2
Bugzilla
CVE-2019-5418 rubygem-actionpack: render file directory traversal in Action View2019-03-15
Bugzilla
CVE-2019-5418 CVE-2019-5419 rubygem-actionview: various flaws [fedora-all]2019-03-15
CVE-2019-5418 (HIGH CVSS 7.5) | There is a File Content Disclosure | cvebase.io