CVE-2023-22797
Description
An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ruby on Rails 7.0.4.1 fixes an open redirect vulnerability in Action Pack where a bypass of redirect_to protections allows crafted URLs to redirect to malicious sites.
What the vulnerability is
CVE-2023-22797 is an open redirect vulnerability in the Ruby on Rails framework, specifically in Action Pack. It arises from an insufficient check added to protect against open redirects when calling redirect_to with untrusted user input. Rails 7.0.4.1 introduced a new protection mechanism, but the implementation of the _url_host_allowed? method could be bypassed by a carefully crafted URL, allowing an attacker to redirect users to external malicious sites [1][4].
How it is exploited
The vulnerability can be exploited by an attacker who controls the redirect_to parameter in a Rails application. By crafting a URL that passes the _url_host_allowed? check but ultimately points to an untrusted host, an attacker can trick the application into performing an open redirect. This attack requires that the application uses redirect_to with user-supplied input, which is a common pattern for features like login redirects [3][4]. No special privileges are needed beyond the ability to craft HTTP requests to the vulnerable endpoint.
Impact
Successful exploitation allows an attacker to redirect users from a legitimate Rails application to a malicious website. This can be used for phishing attacks, credential theft, or to distribute malware. The open redirect can undermine user trust and lead to security breaches, as users may believe they are navigating within a trusted domain when they are actually being sent to an attacker-controlled site [1][3].
Mitigation
The vulnerability is fixed in Rails version 7.0.4.1. Users are strongly advised to upgrade their Rails applications to this or a later patched version. There is no workaround other than updating, as the previous protections were found to be bypassable [4]. The advisory recommends that developers ensure they are not using user-supplied input directly in redirect_to without proper validation [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 7.0.0, < 7.0.4.1 | 7.0.4.1 |
Affected products
3- Rails/Railsdescription
- ghsa-coords2 versions
>= 7.0.0, < 7.0.4.1+ 1 more
- (no CPE)range: >= 7.0.0, < 7.0.4.1
- (no CPE)range: < 7.0.4.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-9445-4cr6-336rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22797ghsaADVISORY
- discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127ghsaWEB
- github.com/rails/rails/releases/tag/v7.0.4.1ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22797.ymlghsaWEB
News mentions
0No linked articles in our index yet.