CVE-2019-12732

Vulnerability

Overview

CVE-2019-12732 is a cross-site scripting (XSS) vulnerability in the Chartkick Ruby gem, affecting versions 3.1.0 and earlier. The root cause lies in the gem's handling of chart options and data when ActiveSupport's escape_html_entities_in_json configuration is set to false (which is not the default in Rails) or when Chartkick is used with a non-Rails framework such as Sinatra [4]. Under these conditions, user-supplied strings are not properly escaped before being embedded into JavaScript as part of the chart configuration, allowing an attacker to inject arbitrary JavaScript code.

Exploitation and

Attack Surface

Exploitation requires two conditions to be met simultaneously. First, the application must have disabled JSON HTML entity escaping (escape_html_entities_in_json = false) or be running outside of Rails. Second, untrusted data—either directly from user input via parameters or indirectly through database content—must be passed to a chart helper such as line_chart or column_chart [4]. The gem does not sanitize strings supplied as chart options (e.g., min: params[:min]) or as data series labels, making them vectors for script injection [2].

Impact

A successful attack allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session when the page renders the chart. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. No authentication is required to trigger the vulnerability if the vulnerable page is publicly accessible and receives untrusted input [3].

Mitigation

Chartkick version 3.2.0 patches this vulnerability by properly escaping JSON output in all configurations [2][4]. Users should upgrade to 3.2.0 or later immediately. For users unable to upgrade, ensuring escape_html_entities_in_json is set to true (the Rails default) and validating/sanitizing all data passed to chart helpers can reduce but not eliminate risk, especially in non-Rails frameworks.