Cross-site Scripting (XSS) - Reflected in sidekiq/sidekiq
Description
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in Sidekiq Web UI before 7.0.8 allows attackers to execute arbitrary JavaScript in a victim's browser.
Vulnerability
CVE-2023-1892 is a reflected cross-site scripting (XSS) vulnerability in the Web UI of Sidekiq, a background job processing framework for Ruby. The flaw exists because user input is not properly sanitized before being reflected in the Web UI, allowing arbitrary JavaScript execution [3].
Exploitation
An attacker can craft a malicious URL containing a JavaScript payload. When a user with access to the Sidekiq Web UI clicks the link, the script executes in the context of the Web UI, potentially compromising the user's session [4]. No authentication is required to trigger the reflection, but the victim must be logged into the Sidekiq Web UI for the attack to be effective.
Impact
Successful exploitation could allow an attacker to steal session cookies, perform actions as the victim user, or modify the Web UI content. This could lead to unauthorized access and control over the Sidekiq management interface.
Mitigation
The vulnerability was fixed in Sidekiq version 7.0.8. Users should upgrade to this version or later to mitigate the risk [1]. Those unable to upgrade should restrict access to the Web UI to trusted networks and users.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sidekiqRubyGems | >= 7.0.4, < 7.0.8 | 7.0.8 |
Affected products
2- sidekiq/sidekiq/sidekiqv5Range: 7.0.4
Patches
1458fdf74176aTrim :period parameter to two characters and escape the value
3 files changed · +8 −5
Changes.md+5 −2 modified@@ -2,10 +2,13 @@ [Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md) -HEAD +7.0.8 ---------- -- Add job hash as another parameter to any `sidekiq_retry_in` block. +- **SECURITY** Sanitize `period` input parameter on Metrics pages. + Specially crafted values can lead to XSS. This functionality + was introduced in 7.0.4. Thank you to spercex @ huntr.dev [#5694] +- Add job hash as 3rd parameter to the `sidekiq_retry_in` block. 7.0.7 ----------
lib/sidekiq/version.rb+1 −1 modified@@ -1,6 +1,6 @@ # frozen_string_literal: true module Sidekiq - VERSION = "7.0.7" + VERSION = "7.0.8" MAJOR = 7 end
lib/sidekiq/web/application.rb+2 −2 modified@@ -68,7 +68,7 @@ def self.set(key, val) get "/metrics" do q = Sidekiq::Metrics::Query.new - @period = params[:period] + @period = h((params[:period] || "")[0..1]) @periods = METRICS_PERIODS minutes = @periods.fetch(@period, @periods.values.first) @query_result = q.top_jobs(minutes: minutes) @@ -77,7 +77,7 @@ def self.set(key, val) get "/metrics/:name" do @name = route_params[:name] - @period = params[:period] + @period = h((params[:period] || "")[0..1]) q = Sidekiq::Metrics::Query.new @periods = METRICS_PERIODS minutes = @periods.fetch(@period, @periods.values.first)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h3r8-h5qw-4r35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-1892ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/sidekiq/CVE-2023-1892.ymlghsaWEB
- github.com/sidekiq/sidekiq/blob/main/Changes.mdghsaWEB
- github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214ghsaWEB
- huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777ghsaWEB
News mentions
0No linked articles in our index yet.