Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vfm5-rmrh-j26v

GitHub Security Advisory

Possible Content Security Policy bypass in Action Dispatch

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack.

Impact
------
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits
-------
Thanks to [ryotak](https://hackerone.com/ryotak) for the report!

Affected Packages

RubyGems actionpack
Affected versions: 5.2.0 (fixed in 7.0.8.7)
RubyGems actionpack
Affected versions: 7.1.0 (fixed in 7.1.5.1)
RubyGems actionpack
Affected versions: 7.2.0 (fixed in 7.2.2.1)
RubyGems actionpack
Affected versions: 8.0.0 (fixed in 8.0.0.1)

Related CVEs

CVE-2024-54133

Key Information

GHSA ID
GHSA-vfm5-rmrh-j26v
Published
December 10, 2024 10:42 PM
Last Modified
March 7, 2025 3:31 AM
CVSS Score
2.5 /10
Primary Ecosystem
RubyGems
Primary Package
actionpack
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.