CVE-2012-2660
Description
Ruby on Rails before 3.0.13, 3.1.5, 3.2.4 allows attackers to inject IS NULL clauses into SQL queries via crafted parameters with [nil] values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ruby on Rails before 3.0.13, 3.1.5, 3.2.4 allows attackers to inject IS NULL clauses into SQL queries via crafted parameters with [nil] values.
Vulnerability
The vulnerability resides in actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails. It arises from a mismatch in parameter parsing between the Active Record component and the Rack interface. When a request includes parameters like ?token[] (without a value), Rack parses them as an array containing a single nil element ([nil]). Active Record then interprets this as a condition for an IS NULL clause in SQL queries. All versions of Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 are affected [4].
Exploitation
An attacker can craft an HTTP request with parameters that produce [nil] values, such as ?token[]. This bypasses typical nil checks like unless params[:token].nil? because [nil] is not nil. No authentication is required if the endpoint is publicly accessible. The attacker simply sends the malicious request to a vulnerable application; no special network position or user interaction is needed [4].
Impact
Successful exploitation allows the attacker to force the application to execute database queries with unexpected IS NULL clauses. This can lead to unintended data exposure or bypass of security controls, such as password reset token validation. However, the attacker cannot inject arbitrary SQL values; only NULL checks are affected. The impact is limited to information disclosure or privilege escalation depending on the query context [4].
Mitigation
Fixed versions are Rails 3.0.13, 3.1.5, and 3.2.4, released on June 12, 2012 [4]. Workarounds include explicitly checking for [nil] (e.g., params[:token] == [nil]) or casting to a known type (e.g., params[:token].to_s.empty?). Red Hat issued advisory RHSA-2013:0154 for affected products [1]. Users should upgrade to the fixed versions or apply the patches provided by the Rails team [4]. No KEV listing exists.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 3.0.0.beta, < 3.0.13 | 3.0.13 |
actionpackRubyGems | >= 3.1.0, < 3.1.5 | 3.1.5 |
actionpackRubyGems | >= 3.2.0, < 3.2.4 | 3.2.4 |
actionpackRubyGems | < 2.3.16 | 2.3.16 |
Affected products
71cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*+ 68 more
- cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*
Patches
12 files changed · +27 −1
actionpack/lib/action_controller/request.rb+21 −0 modified@@ -491,5 +491,26 @@ def normalize_parameters(value) value end end + protected + + # Remove nils from the params hash + def deep_munge(hash) + hash.each_value do |v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } + when Hash + deep_munge(v) + end + end + + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash + end + + def parse_query(qs) + deep_munge(super) + end end end
actionpack/test/controller/request/query_string_parsing_test.rb+6 −1 modified@@ -81,7 +81,12 @@ def teardown end test "query string without equal" do - assert_parses({ "action" => nil }, "action") + assert_parses({"action" => nil}, "action") + assert_parses({"action" => {"foo" => nil}}, "action[foo]") + assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar]") + assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar][]") + assert_parses({"action" => {"foo" => nil}}, "action[foo][]") + assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]") end test "query string with empty key" do
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32nvdExploitWEB
- github.com/advisories/GHSA-hgpp-pp89-4fgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-2660ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2012-08/msg00046.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0154.htmlnvdWEB
- github.com/rails/rails/commit/61eed87ce32caf534bf1f52dd8134097b4ad9e1bghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2660.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2660.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJghsaWEB
News mentions
0No linked articles in our index yet.