CVE-2020-8163
Description
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the locals argument of a render call to perform a RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-8163 is a code injection vulnerability in Ruby on Rails <5.0.1 allowing RCE when an attacker controls the `locals` argument of a `render` call.
CVE-2020-8163 describes a code injection vulnerability in Ruby on Rails versions prior to 5.0.1. The root cause is that the framework did not properly validate or restrict the names of local variables passed via the locals argument in the render method [1][3]. This allows an attacker who can control the names of these local variables to inject arbitrary Ruby code, leading to remote code execution (RCE).
Exploitation
To exploit this vulnerability, an attacker must be able to control the locals hash passed to a render call, specifically the keys (variable names) within that hash [1]. This is typically possible if user-supplied input is directly passed to the render method as part of the locals parameter. The attacker does not need authentication if the vulnerable endpoint is accessible without credentials [3].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary Ruby code on the server, potentially leading to full compromise of the application, data theft, or further lateral movement [1].
Mitigation
The vulnerability is fixed in Rails 4.2.11.3 and 5.0.1 [2][3]. Users of earlier versions should upgrade as soon as possible. For those unable to upgrade, a patch is available, and a workaround is to ensure all user-provided local names are alphanumeric [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionviewRubyGems | < 4.2.11.3 | 4.2.11.3 |
Affected products
11- Rails/Railsdescription
- osv-coords10 versionspkg:bitnami/railspkg:gem/actionviewpkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%206-LTSSpkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-actionview-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%206-LTSSpkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-activesupport-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 5.0.1+ 9 more
- (no CPE)range: < 5.0.1
- (no CPE)range: < 4.2.11.3
- (no CPE)range: < 4.2.9-9.9.1
- (no CPE)range: < 4.2.9-9.9.1
- (no CPE)range: < 4.2.9-9.9.1
- (no CPE)range: < 4.2.9-9.9.1
- (no CPE)range: < 4.2.9-7.6.1
- (no CPE)range: < 4.2.9-7.6.1
- (no CPE)range: < 4.2.9-7.6.1
- (no CPE)range: < 4.2.9-7.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-cr3x-7m39-c6jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8163ghsaADVISORY
- packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0ghsax_refsource_MISCWEB
- hackerone.com/reports/304805ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2020/07/msg00013.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.