Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-mm33-5vfq-3mm3

GitHub Security Advisory

Cross-site Scripting Vulnerability in Action Pack

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

## Impact

CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.

## Releases

The FIXED releases are available at the normal locations.

## Workarounds

Set a CSP for your API responses manually.

Affected Packages

RubyGems actionpack
Affected versions: 5.2.0 (fixed in 5.2.7.1)
RubyGems actionpack
Affected versions: 6.0.0 (fixed in 6.0.4.8)
RubyGems actionpack
Affected versions: 6.1.0 (fixed in 6.1.5.1)
RubyGems actionpack
Affected versions: 7.0.0 (fixed in 7.0.2.4)

Related CVEs

CVE-2022-22577

Key Information

GHSA ID
GHSA-mm33-5vfq-3mm3
Published
April 27, 2022 10:28 PM
Last Modified
June 8, 2022 6:05 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
actionpack
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 21, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.