Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production.

All users running an affected release should either upgrade or use one of the work arounds immediately.

### Workaround:

In Rails applications, work around this issue, set `config.assets.compile = false` and `config.public_file_server.enabled = true` in an initializer and precompile the assets.

This work around will not be possible in all hosting environments and upgrading is advised.

Affected Packages

RubyGems sprockets

Affected versions: 3.0.0 (fixed in 3.7.2)

RubyGems sprockets

Affected versions: 4.0.0.beta1 (fixed in 4.0.0.beta8)

RubyGems sprockets

Affected versions: 0 (fixed in 2.12.5)

Related CVEs

CVE-2018-3760

Key Information

GHSA ID

GHSA-pr3h-jjhj-573x

Published

June 20, 2018 10:18 PM

Last Modified

September 5, 2023 9:05 PM

CVSS Score

7.5 /10

Primary Ecosystem

RubyGems

Primary Package

sprockets

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.