In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

Workarounds
-----------
Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb: `config.middleware.delete ActionDispatch::ActionableExceptions`

Affected Packages

RubyGems actionpack

Affected versions: 6.0.0 (fixed in 6.0.3.4)

Related CVEs

CVE-2020-8264

Key Information

GHSA ID

GHSA-35mm-cc6r-8fjp

Published

April 7, 2021 8:58 PM

Last Modified

August 8, 2023 3:34 PM

CVSS Score

5.0 /10

Primary Ecosystem

RubyGems

Primary Package

actionpack

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.