| Package | rails |
|---|---|
| Version | 2:5.2.2.1+dfsg-1+deb10u6 (buster) |
| Related CVEs | CVE-2022-32224 CVE-2022-44566 CVE-2023-22792 CVE-2023-22795 CVE-2023-22796 CVE-2023-23913 CVE-2023-28120 CVE-2023-28362 CVE-2023-38037 CVE-2024-41128 CVE-2024-47887 CVE-2024-47889 CVE-2024-54133 CVE-2025-24293 CVE-2025-55193 |
Multiple vulnerabilities were discovered in Ruby on Rails, a MVC Ruby-based framework for web development. An attacker may escalate to RCE (remote code execution), launch DoS (denial-of-service) and XSS (cross-site scripting) attacks, leak sensitive content, or pollute terminal output.
In particular, this update addresses CVE-2022-32224 which targets applications leveraging YAML-serialized columns in Active Record.
Common and safe YAML serialization is handled by this fix (support for primary Ruby data types and Symbol, as well as newly-serialized HashWithIndifferentAccess objects).
However, if your application serializes other classes as YAML, see the
following page to reference these classes in
config.active_record.yaml_column_permitted_classes, or disable
protection entirely (not recommended, at your own risks) with
config.active_record.use_yaml_unsafe_load=true.
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
-
CVE-2022-32224
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
-
CVE-2022-44566
A denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
-
CVE-2023-22792
A regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking.
-
CVE-2023-22795
A regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking.
-
CVE-2023-22796
A regular expression based DoS vulnerability in Active Support. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking.
-
CVE-2023-23913
There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
-
CVE-2023-28120
A vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
-
CVE-2023-28362
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
-
CVE-2023-38037
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current
umasksettings, meaning that it’s possible for other users on the same system to read the contents of the temporary file. -
CVE-2024-41128
A possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability.
-
CVE-2024-47887
A possible ReDoS vulnerability in Action Controller’s HTTP Token authentication. For applications using HTTP Token authentication via
authenticate_or_request_with_http_tokenor similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. -
CVE-2024-47889
A possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability.
-
CVE-2024-54133
A possible Cross Site Scripting (XSS) vulnerability in the
content_security_policyhelper of Action Pack. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. -
CVE-2025-24293
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.
-
CVE-2025-55193
In Active Record logging, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.
For Debian 10 buster, these problems have been fixed in version 2:5.2.2.1+dfsg-1+deb10u6.
We recommend that you upgrade your rails packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.