VYPR
← All advisories
Low severityNVD Advisory· Published Oct 26, 2022· Updated Aug 3, 2024

Ruby on Rails _table.html.erb cross site scripting

CVE-2022-3704

Description

A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319. NOTE: Maintainer declares that there isn’t a valid attack vector. The issue was wrongly reported as a security vulnerability by a non-member of the Rails team.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Rails route error page self-XSS fixed by replacing innerHTML with safe DOM methods.

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability was reported in Ruby on Rails' route error page, specifically within actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb [1]. The problematic code used innerHTML to insert user-controlled path strings into the page, allowing injected content to execute in the browser. While the Rails maintainer disputed the severity, noting the attack vector requires local input (a self-XSS scenario) and stated the issue was incorrectly reported [1], a fix was nevertheless applied.

Attack

Vector

The attack surface is the search functionality on the Rails routing error page. An attacker could craft a malicious string containing JavaScript and, if a victim pastes that string into the search box, the code would execute in the context of the error page [4]. The exploit requires user interaction (self-XSS) and does not allow a remote attacker to directly compromise other users. The issue was initially discovered during a penetration test and reported via HackerOne [4].

Impact

In the worst case, an attacker who can trick a developer or administrator into pasting malicious input into the route search field could achieve script execution. The impact is limited to the context of the error page and does not lead to server-side compromise or data exfiltration without further user actions [4]. The Rails team assessed the actual risk as minimal.

Mitigation

The vulnerability is addressed in commit be177e4566747b73ff63fd5f529fab564e475ed4 [3]. The fix replaces unsafe innerHTML assignments with safe DOM methods: buildTr() creates elements using document.createElement() and appendChild(), and replaceChildren() is used to clear sections [3]. Users should update to a version of Rails that includes this patch. No CVE entry was created in NVD, and the issue is closed as not a valid security vulnerability [1][4].

References
  1. NVD - CVE-2022-3704
  2. Fix #46244 Remove innerHTML usage to avoid self-XSS · rails/rails@be177e4
  3. ¬ XSS within Route Error Page

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
actionpackRubyGems
<= 7.0.4

Affected products

3

Patches

1
be177e456674

Fix #46244 Remove innerHTML usage to avoid self-XSS

https://github.com/rails/railsNiklas HaeuseleOct 18, 2022via ghsa
commit
1 file changed · +17 8
  • actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb+17 8 modified
    @@ -102,9 +102,9 @@
   // Enables path search functionality
   function setupMatchPaths() {
     // Check if there are any matched results in a section
-    function checkNoMatch(section, noMatchText) {
+    function checkNoMatch(section, trElement) {
       if (section.children.length <= 1) {
-        section.innerHTML += noMatchText;
+        section.appendChild(trElement);
       }
     }
 
@@ -145,21 +145,30 @@
       }
     }
 
+    function buildTr(string) {
+      var tr = document.createElement('tr');
+      var th = document.createElement('th');
+      th.setAttribute('colspan', 4);
+      tr.appendChild(th);
+      th.innerText = string;
+      return tr;
+    }
+
     // On key press perform a search for matching paths
     delayedKeyup(searchElem, function() {
       var path = sanitizePath(searchElem.value),
-          defaultExactMatch = '<tr><th colspan="4">Paths Matching (' + path +'):</th></tr>',
-          defaultFuzzyMatch = '<tr><th colspan="4">Paths Containing (' + path +'):</th></tr>',
-          noExactMatch      = '<tr><th colspan="4">No Exact Matches Found</th></tr>',
-          noFuzzyMatch      = '<tr><th colspan="4">No Fuzzy Matches Found</th></tr>';
+          defaultExactMatch = buildTr('Paths Matching (' + path + '):'),
+          defaultFuzzyMatch = buildTr('Paths Containing (' + path +'):'),
+          noExactMatch      = buildTr('No Exact Matches Found'),
+          noFuzzyMatch      = buildTr('No Fuzzy Matches Found');
 
       if (!path)
         return searchElem.onblur();
 
       getJSON('/rails/info/routes?path=' + path, function(matches){
         // Clear out results section
-        exactSection.innerHTML = defaultExactMatch;
-        fuzzySection.innerHTML = defaultFuzzyMatch;
+        exactSection.replaceChildren(defaultExactMatch);
+        fuzzySection.replaceChildren(defaultFuzzyMatch);
 
         // Display exact matches and fuzzy matches
         pathElements.forEach(function(elem) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.