https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for rails/rails en-us Fri, 17 Apr 2026 01:52:35 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/98 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/98 Mon, 23 Mar 2026 22:25:24 GMT Before the patch, an attacker could send an HTTP Range request with an arbitrarily large byte range (e.g., 'bytes=0-' on a large file) and the server would attempt to download and buffer the entire requested range into memory before sending it. This could exhaust server memory and cause a denial of service. The patch adds a `ranges_valid?` check that rejects any byte ranges whose total size exceeds 100MB (configurable via `ActiveStorage.streaming_chunk_max_size`). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/97 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/97 Mon, 23 Mar 2026 22:25:09 GMT The ActiveStorage streaming controller allowed multi-range HTTP byte range requests without limiting the number of ranges. An attacker could send a request with thousands of byte ranges, causing the server to download and assemble many chunks from storage in memory, exhausting server resources and potentially causing a DoS. The patch adds a configurable `streaming_max_ranges` limit (defaulting to 1) that rejects requests with more ranges than allowed. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/96 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/96 Mon, 23 Mar 2026 22:24:56 GMT BigDecimal in Ruby supports scientific notation (e.g., '9e99999999'), allowing an attacker to pass a short string that causes BigDecimal to allocate an enormous amount of memory when converting the number. Before the patch, any user-controlled string passed to number helper functions (like number_to_currency or number_to_percentage) could trigger this via BigDecimal(number). The patch rejects strings containing 'e' or 'd' (scientific notation indicators) before attempting BigDecimal conversion. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/95 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/95 Mon, 23 Mar 2026 22:24:41 GMT Before the patch, users could set protected metadata keys (analyzed, identified, composed) during a direct upload by including them in the metadata parameter. These keys control internal Active Storage state (e.g., whether a blob has been analyzed or identified), so a malicious user could set 'analyzed: true' or 'identified: true' to bypass file analysis/identification steps that might enforce security policies. The patch filters out these protected keys from user-supplied metadata in create_before_direct_upload!. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/94 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/94 Mon, 23 Mar 2026 22:24:27 GMT The `SafeBuffer#%` method failed to preserve the unsafe status of a SafeBuffer when used for string formatting. Before the patch, formatting an unsafe SafeBuffer (one that had been marked unsafe after mutation via gsub!, etc.) would return a new SafeBuffer that was incorrectly marked as html_safe?, allowing unescaped user input to be rendered as raw HTML. The fix propagates the `@html_unsafe` flag to the result of `%` formatting. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/93 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/93 Mon, 23 Mar 2026 22:23:58 GMT ActiveStorage's DiskService allowed path traversal via blob keys containing segments like '../../etc/passwd'. The `path_for` method directly joined the root directory with user-controlled key values without validating that the resolved path stayed within the storage root, allowing attackers to read or write arbitrary files on the server filesystem. The patch adds validation that rejects keys with dot segments and verifies the resolved path remains within the storage root directory. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/92 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/92 Mon, 23 Mar 2026 22:23:41 GMT Before the patch, `DiskService#delete_prefixed` passed a user-influenced blob key directly into `Dir.glob` without escaping glob metacharacters. If a blob key contained characters like `*`, `?`, `\[`, `\]`, `{`, or `}`, the glob expansion could match and delete unintended files on the filesystem. The patch escapes all glob metacharacters in the resolved path before passing it to `Dir.glob`. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/91 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/91 Mon, 23 Mar 2026 22:23:25 GMT When a blank string is used as an HTML attribute name in Rails Action View tag helpers, `xml_name_escape` returns an empty string, producing malformed HTML like `<img src="/safe.png" ="/onerror=alert(1)">`. This malformed HTML can be parsed differently by different HTML parsers, enabling mutation XSS attacks where a browser's HTML parser interprets the malformed attribute as executable code. The patch fixes this by skipping blank attribute keys before they are rendered into HTML. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/90 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/90 Mon, 23 Mar 2026 22:23:09 GMT The debug exceptions layout template used `raw` to output the exception message inside a `<script type="text/plain">` tag without HTML escaping. An attacker who can trigger an exception with a crafted message containing HTML/JavaScript could inject arbitrary script tags that would be rendered in the browser. The patch removes `raw` to use default ERB HTML escaping, ensuring special characters like `<`, `>` are escaped. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/55 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/55 Tue, 24 Feb 2026 20:59:12 GMT The markdown conversion functionality was vulnerable to XSS attacks through malicious javascript: URLs that could bypass protocol filtering using obfuscation techniques like leading whitespace, HTML entity encoding, or case variations. The patch fixes this by delegating URI validation to Rails::HTML::Sanitizer.allowed_uri? which properly handles these bypass attempts. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/50 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/50 Tue, 24 Feb 2026 09:33:16 GMT The custom inspect methods in various Rails classes could potentially expose sensitive internal state or configuration data through debug output, error messages, or logs. The patch replaces these with a controlled inspection mechanism that only shows explicitly whitelisted instance variables. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/49 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/49 Tue, 24 Feb 2026 09:32:55 GMT The custom inspect methods in various Rails classes exposed sensitive internal state including cryptographic keys, secrets, and other confidential data in debug output, logs, and error messages. The patch replaces custom inspect methods with a standardized approach that only shows safe instance variables, preventing accidental leakage of sensitive information. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/19 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/19 Sat, 14 Feb 2026 08:55:44 GMT The Deduplicable module incorrectly treated virtual (generated) columns and regular columns as identical when they had the same name and type, causing regular columns to be silently excluded from INSERT/UPDATE operations. This resulted in NULL values being stored instead of the intended data, leading to silent data corruption. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/18 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/18 Sat, 14 Feb 2026 08:55:37 GMT The vulnerability allows silent data corruption where regular columns can be incorrectly deduplicated with virtual columns, causing INSERT and UPDATE statements to exclude legitimate columns and store NULL values instead of the intended data. This occurs when the deduplication registry encounters a virtual column first, then treats a regular column with the same name and type as identical. medium unverified