VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 6, 2021· Updated Aug 3, 2024

CVE-2021-30151

CVE-2021-30151

Description

Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sidekiq before 5.1.4 and 6.2.1 has a reflected XSS vulnerability in the live-poll feature's queue name parameter, exploitable only with Internet Explorer.

Vulnerability

Sidekiq versions up to and including 5.1.3 and 6.x through 6.2.0 contain a reflected cross-site scripting (XSS) vulnerability in the live-poll feature of the Web UI. The vulnerability exists because the queue name supplied via the /queues/:name route is rendered unsanitized in the page response when using Internet Explorer. The fix introduced a pessimistic regular expression constraint on queue names (QUEUE_NAME = /\A[a-z_:.\-0-9]+\z/i) to reject any input containing HTML metacharacters [1][2][4].

Exploitation

An attacker needs only to craft a URL with a malicious queue name (e.g., /queues/onmouseover=alert()) and convince a victim using Internet Explorer to visit that link. No authentication or special privileges are required because the vulnerable endpoint is accessible by default in the Sidekiq Web UI. Internet Explorer interprets the unescaped queue name as HTML, allowing the injected script to execute in the context of the victim's session [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to theft of session cookies, defacement of the Sidekiq Web UI, or other actions that the victim's session permits. The attack is confined to Internet Explorer; other browsers are not affected because they handle the HTML response differently [1][2].

Mitigation

The vulnerability is fixed in Sidekiq versions 5.1.4 and 6.2.1, both released on or shortly after 2021-04-06. Users should upgrade to these or later versions. As a workaround, administrators can restrict access to the Sidekiq Web UI to trusted users or networks. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1][2][4].

References
  1. NVD - CVE-2021-30151
  2. [sidekiq <= v6.2, v5.1.3] Cross-site-scripting (XSS)
  3. Add pessimistic regexp on queue name input to avoid XSS, fixes #4852 · sidekiq/sidekiq@64f7033

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sidekiqRubyGems
< 5.2.05.2.0
sidekiqRubyGems
>= 6.0.0, < 6.2.16.2.1

Affected products

2

Patches

1
64f70339d1dc

Add pessimistic regexp on queue name input to avoid XSS, fixes #4852

https://github.com/mperham/sidekiqMike PerhamMar 25, 2021via ghsa
commit
3 files changed · +11 2
  • lib/sidekiq/web/action.rb+1 1 modified
    @@ -15,7 +15,7 @@ def request
     end
 
     def halt(res)
-      throw :halt, res
+      throw :halt, [res, {"Content-Type" => "text/plain"}, [res.to_s]]
     end
 
     def redirect(location)
  • lib/sidekiq/web/application.rb+3 1 modified
    @@ -82,10 +82,12 @@ def self.set(key, val)
       erb(:queues)
     end
 
+    QUEUE_NAME = /\A[a-z_:.\-0-9]+\z/i
+
     get "/queues/:name" do
       @name = route_params[:name]
 
-      halt(404) unless @name
+      halt(404) if !@name || @name !~ QUEUE_NAME
 
       @count = (params["count"] || 25).to_i
       @queue = Sidekiq::Queue.new(@name)
  • test/test_web.rb+7 0 modified
    @@ -124,6 +124,13 @@ def perform(a, b)
   end
 
   it 'handles queue view' do
+    get '/queues/onmouseover=alert()'
+    assert_equal 404, last_response.status
+
+    get '/queues/foo_bar:123-wow.'
+    assert_equal 200, last_response.status
+    assert_match(/foo_bar:123-wow\./, last_response.body)
+
     get '/queues/default'
     assert_equal 200, last_response.status
   end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.