CVE-2025-55193 — Improper Neutralization of Escape, Meta, or Control Sequences in Project Activerecord

CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences7 documents6 sources

Severity

2.7LOWNVD

EPSS

0.1%

top 66.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Activerecord Project Activerecord Rails

Timeline

PublishedAug 13

Description

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Affected Packages3 packages

▶RubyGemsactiverecord_project/activerecord8.0 — 8.0.2.1+2

▶Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u4+3

▶CVEListV5rails/rails>= 0, < 7.1.5.2, >= 7.2, < 7.2.2.2, >= 8.0, < 8.0.2.1+2

🔴Vulnerability Details

GHSA

Active Record logging vulnerable to ANSI escape injection↗2025-08-13

▶

CVEList

Active Record logging vulnerable to ANSI escape injection↗2025-08-13

▶

OSV

CVE-2025-55193: Active Record connects classes to relational database tables↗2025-08-13

▶

OSV

Active Record logging vulnerable to ANSI escape injection↗2025-08-13

▶

📋Vendor Advisories

Red Hat

activerecord: Active Record ANSI Injection Vulnerability↗2025-08-13

▶

Debian

CVE-2025-55193: rails - Active Record connects classes to relational database tables. Prior to versions ...↗2025

▶