Moderate severityNVD Advisory· Published Aug 5, 2020· Updated Aug 4, 2024

CVE-2020-16252

Description

The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Field Test gem for Ruby (0.2.0–0.3.2) is vulnerable to CSRF when using non-session authentication, allowing variant changes via forged requests.

The Field Test gem, versions 0.2.0 through 0.3.2, contains a cross-site request forgery (CSRF) vulnerability [1][4]. The gem provides A/B testing for Rails applications and includes a dashboard for viewing results and updating variants. The root cause is that the gem uses Rails' protect_from_forgery method, which defaults to the :null_session strategy. This strategy has no effect when non-session based authentication methods, such as basic authentication, are used, leaving the dashboard unprotected against CSRF [4].

To exploit this vulnerability, an attacker must trick an authenticated user into visiting a malicious website. The attacker can then forge requests on behalf of that user. Only a single endpoint is affected, which allows changing the variant assigned to a user [4]. Session-based authentication methods, like Devise's default, are not affected [4].

Successful exploitation enables an attacker to change the variant assigned to a victim user, potentially skewing A/B test results or manipulating the user experience [4].

The vulnerability has been addressed in Field Test version 0.4.0, where the CSRF protection strategy was changed to protect_from_forgery with: :exception [4]. All users running an affected release are advised to upgrade immediately (0.4.0) [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
field_testRubyGems	>= 0.2.0, < 0.4.0	0.4.0

Affected products

Ruby/Field Test gemdescription
ghsa-coords
pkg:gem/field_test
Range: >= 0.2.0, < 0.4.0

Patches

defd3fdf457c

Fixed CSRF vulnerability with non-session based authentication

https://github.com/ankane/field_testAndrew KaneAug 4, 2020via ghsa

commit

2 files changed · +3 −2

app/controllers/field_test/base_controller.rb+1 −1 modified

@@ -2,7 +2,7 @@ module FieldTest
   class BaseController < ActionController::Base
     layout "field_test/application"
 
-    protect_from_forgery
+    protect_from_forgery with: :exception
 
     http_basic_authenticate_with name: ENV["FIELD_TEST_USERNAME"], password: ENV["FIELD_TEST_PASSWORD"] if ENV["FIELD_TEST_PASSWORD"]
   end

CHANGELOG.md+2 −1 modified

@@ -1,5 +1,6 @@
-## 0.3.3 (unreleased)
+## 0.4.0 (unreleased)
 
+- Fixed CSRF vulnerability with non-session based authentication
 - Fixed cache key for requests
 
 ## 0.3.2 (2020-04-16)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w542-cpp9-r3g7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-16252ghsaADVISORY
github.com/ankane/field_test/commit/defd3fdf457c22d7dc5b3be7048481947bd5f0d0ghsaWEB
github.com/ankane/field_test/issues/28ghsax_refsource_MISCWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/field_test/CVE-2020-16252.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000