Actionpack Project Actionpack vulnerabilities

CVE-2026-33167 [LOW] CWE-79 Rails has a possible XSS vulnerability in its Action Pack debug exceptions Rails has a possible XSS vulnerability in its Action Pack debug exceptions ### Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the def

CVE-2024-54133 [LOW] CWE-79 Possible Content Security Policy bypass in Action Dispatch Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of th

CVE-2024-47887 [MEDIUM] CWE-1333 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller Possible ReDoS vulnerability in HTTP Token authentication in Action Controller There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887. Impact For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may

CVE-2024-41128 [MEDIUM] CWE-770 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch Possible ReDoS vulnerability in query parameter filtering in Action Dispatch There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128. Impact Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in

CVE-2024-28103 [CRITICAL] CWE-20 Missing security headers in Action Pack on non-HTML responses Missing security headers in Action Pack on non-HTML responses # Permissions-Policy is Only Served on HTML Content-Type The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This has been assigned the CVE identifier CVE-2024-28103. Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4 Impact Response

CVE-2024-26142 [HIGH] CWE-1333 Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch # Possible ReDoS vulnerability in Accept header parsing in Action Dispatch There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: <

CVE-2024-26143 [MEDIUM] CWE-79 Rails has possible XSS Vulnerability in Action Controller Rails has possible XSS Vulnerability in Action Controller # Possible XSS Vulnerability in Action Controller There is a possible XSS vulnerability when using the translation helpers (`translate`, `t`, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143. Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1 Impact Applications usin

CVE-2023-28362 [MEDIUM] CWE-116 Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location heade

CVE-2023-22797 [MEDIUM] CWE-601 CVE-2023-22797: An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redire An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an

CVE-2023-22795 [HIGH] CWE-1333 ReDoS based DoS vulnerability in Action Dispatch ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 Impact A specially crafted HTTP If-None-Match header can cause the regular expr

CVE-2023-22792 [HIGH] CWE-1333 ReDoS based DoS vulnerability in Action Dispatch ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792. Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 Impact Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause

CVE-2022-3704 [LOW] CWE-707 Cross-site Scripting in actionpack Cross-site Scripting in actionpack actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this [commit](https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4). This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a

CVE-2022-22577 [MEDIUM] CWE-79 Cross-site Scripting Vulnerability in Action Pack Cross-site Scripting Vulnerability in Action Pack There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 ## Impact CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests withou

CVE-2011-1497 [MEDIUM] CWE-79 Cross site scripting in actionpack Rubygem Cross site scripting in actionpack Rubygem A cross-site scripting vulnerability flaw was found in the `auto_link` function in Rails before version 3.0.6.

CVE-2022-23633 [HIGH] CWE-200 Exposure of information in Action Pack Exposure of information in Action Pack ### Impact Under certain circumstances response bodies will not be closed, for example a [bug in a webserver](https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, esp

CVE-2021-44528 [MEDIUM] CWE-601 actionpack Open Redirect in Host Authorization Middleware actionpack Open Redirect in Host Authorization Middleware Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this: ``` config.hosts << '.EXAMPLE.co

CVE-2021-22942 [MEDIUM] CWE-601 Open Redirect in ActionPack Open Redirect in ActionPack # Overview There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942. Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1 # Impact Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization m

CVE-2021-22885 [HIGH] CWE-200 Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running a

CVE-2021-22902 [HIGH] CWE-400 Denial of Service in Action Dispatch Denial of Service in Action Dispatch Impact There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. Releases The fixed releases are available at the normal locations. Workarounds The following monkey patch placed in an initializer can be used to work around the iss

CVE-2021-22904 [HIGH] CWE-400 Possible DoS Vulnerability in Action Controller Token Authentication Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impact