Added details of new Rails vulnerabilities

jamgregory · jamgregory · commit 03c7702be716 · 2026-03-31T12:09:12.000+01:00
diff --git a/gems/actionpack/CVE-2026-33167.yml b/gems/actionpack/CVE-2026-33167.yml
@@ -0,0 +1,27 @@
+---
+gem: actionpack
+framework: rails
+cve: 2026-33167
+ghsa: pgm4-439c-5jp6
+url: https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
+title: Rails has a possible XSS vulnerability in its Action Pack debug exceptions
+date: 2026-03-23
+description: |
+  ### Impact
+  The debug exceptions page does not properly escape exception messages.
+  A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS.
+  This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`),
+  which is the default in development.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+unaffected_versions:
+  - "< 8.1.0"
+patched_versions:
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
+    - https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-pgm4-439c-5jp6
diff --git a/gems/actionview/CVE-2026-33168.yml b/gems/actionview/CVE-2026-33168.yml
@@ -0,0 +1,31 @@
+---
+gem: actionview
+framework: rails
+cve: 2026-33168
+ghsa: v55j-83pf-r9cq
+url: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
+title: Rails has a possible XSS vulnerability in its Action View tag helpers
+date: 2026-03-23
+description: |
+  ### Impact
+  When a blank string is used as an HTML attribute name in Action View tag helpers,
+  the attribute escaping is bypassed, producing malformed HTML.
+  A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name,
+  possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
+    - https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
+    - https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
+    - https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-v55j-83pf-r9cq
diff --git a/gems/activestorage/CVE-2026-33173.yml b/gems/activestorage/CVE-2026-33173.yml
@@ -0,0 +1,31 @@
+---
+gem: activestorage
+framework: rails
+cve: 2026-33173
+ghsa: qcfx-2mfw-w4cg
+url: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
+title: Rails Active Storage has possible content type bypass via metadata in direct
+  uploads
+date: 2026-03-23
+description: |
+  ### Impact
+  Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob.
+  Because internal flags like `identified` and `analyzed` are stored in the same metadata hash,
+  a malicious direct-upload client could set these flags.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
+    - https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
+    - https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
+    - https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-qcfx-2mfw-w4cg
diff --git a/gems/activestorage/CVE-2026-33174.yml b/gems/activestorage/CVE-2026-33174.yml
@@ -0,0 +1,32 @@
+---
+gem: activestorage
+framework: rails
+cve: 2026-33174
+ghsa: r46p-8f7g-vvvg
+url: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
+title: Rails Active Storage has a possible DoS vulnerability when in proxy mode via
+  Range requests
+date: 2026-03-23
+description: |
+  ### Impact
+  When serving files through Active Storage's `Blobs::ProxyController`,
+  the controller loads the entire requested byte range into memory before sending it.
+  A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server
+  to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
+    - https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
+    - https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
+    - https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-r46p-8f7g-vvvg
diff --git a/gems/activestorage/CVE-2026-33195.yml b/gems/activestorage/CVE-2026-33195.yml
@@ -0,0 +1,33 @@
+---
+gem: activestorage
+framework: rails
+cve: 2026-33195
+ghsa: 9xrj-h377-fr87
+url: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
+title: Rails Active Storage has possible Path Traversal in DiskService
+date: 2026-03-23
+description: |
+  ### Impact
+  Active Storage's `DiskService#path_for` does not validate that the
+  resolved filesystem path remains within the storage root directory.
+  If a blob key containing path traversal sequences (e.g. `../`) is used,
+  it could allow reading, writing, or deleting arbitrary files on the server.
+  Blob keys are expected to be trusted strings,
+  but some applications could be passing user input as keys and would be affected.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
+    - https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
+    - https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
+    - https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-9xrj-h377-fr87
diff --git a/gems/activestorage/CVE-2026-33202.yml b/gems/activestorage/CVE-2026-33202.yml
@@ -0,0 +1,29 @@
+---
+gem: activestorage
+framework: rails
+cve: 2026-33202
+ghsa: 73f9-jhhh-hr5m
+url: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
+title: Rails Active Storage has possible glob injection in its DiskService
+date: 2026-03-23
+description: |
+  ### Impact
+  Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters.
+  If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters,
+  it may be possible to delete unintended files from the storage directory.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
+    - https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
+    - https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
+    - https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
diff --git a/gems/activesupport/CVE-2026-33169.yml b/gems/activesupport/CVE-2026-33169.yml
@@ -0,0 +1,29 @@
+---
+gem: activesupport
+framework: rails
+cve: 2026-33169
+ghsa: cg4j-q9v8-6v38
+url: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
+title: Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
+date: 2026-03-23
+description: |
+  ### Impact
+  `NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters.
+  This could produce quadratic time complexity on long digit strings.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
+    - https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
+    - https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
+    - https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-cg4j-q9v8-6v38
diff --git a/gems/activesupport/CVE-2026-33170.yml b/gems/activesupport/CVE-2026-33170.yml
@@ -0,0 +1,30 @@
+---
+gem: activesupport
+framework: rails
+cve: 2026-33170
+ghsa: 89vf-4333-qx8v
+url: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
+title: Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
+date: 2026-03-23
+description: |
+  ### Impact
+  `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer.
+  If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments,
+  the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
+    - https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
+    - https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
+    - https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-89vf-4333-qx8v
diff --git a/gems/activesupport/CVE-2026-33176.yml b/gems/activesupport/CVE-2026-33176.yml
@@ -0,0 +1,31 @@
+---
+gem: activesupport
+framework: rails
+cve: 2026-33176
+ghsa: 2j26-frm8-cmj9
+url: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
+title: Rails Active Support has a possible DoS vulnerability in its number helpers
+date: 2026-03-23
+description: |
+  ### Impact
+  Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`),
+  which when converted to a string could be expanded into extremely large decimal representations.
+  This can cause excessive memory allocation and CPU consumption when the expanded number is formatted,
+  possibly resulting in a DoS vulnerability.
+
+  ### Releases
+  The fixed releases are available at the normal locations.
+patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
+    - https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
+    - https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
+    - https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-2j26-frm8-cmj9
