CVE-2021-22885

Vulnerability

A possible information disclosure / unintended method execution vulnerability exists in Action Pack (the Rails controller layer) when using the redirect_to or polymorphic_url helpers with untrusted user input [3]. The vulnerable code pattern passes user-supplied parameters directly to these helpers, e.g., redirect_to(params[:some_param]). All versions of Action Pack from 2.0.0 up to and including 5.2.4.6, 6.0.3.6, and 6.1.3.1 are affected; versions < 2.0.0 are not affected [3].

Exploitation

An attacker needs to supply a specially crafted parameter to an endpoint that calls redirect_to or polymorphic_url with untrusted input. No authentication is required if the endpoint is public. The attacker can control the target argument, potentially triggering method calls on internal objects or exposing sensitive information [3]. The exact mechanism depends on how the helper interprets the input (e.g., as a symbol or hash).

Impact

Successful exploitation can lead to unintended method execution on the server, which may result in information disclosure (e.g., leaking internal details or credentials) or arbitrary method invocation in the context of the application [2][3]. The attacker does not directly gain RCE but can influence program execution paths, potentially leading to further compromise [3].

Mitigation

Fixed versions were released on 2021-05-05: 5.2.4.6, 5.2.6, 6.0.3.7, and 6.1.3.2 [3]. Patches are available for the 5.2, 6.0, and 6.1 series [3]. Workarounds include using an allow list to validate user input or forcing the input to a string via to_s [3]. Users on unsupported releases (< 5.2) should upgrade as soon as possible [3].