The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.

Affected Packages

RubyGems actionview

Affected versions: 0 (fixed in 4.2.11.3)

Related CVEs

CVE-2020-8163

Key Information

GHSA ID

GHSA-cr3x-7m39-c6jq

Published

July 7, 2020 4:34 PM

Last Modified

July 5, 2023 8:22 PM

CVSS Score

7.5 /10

Primary Ecosystem

RubyGems

Primary Package

actionview

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.