Medium severity5.3OSV Advisory· Published Jan 9, 2025· Updated Apr 15, 2026

CVE-2023-28120

Description

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ActiveSupport SafeBuffer fails to remove html_safe tag when bytesplice is called, enabling XSS via untrusted input.

Vulnerability

Overview

CVE-2023-28120 is a cross-site scripting (XSS) vulnerability in ActiveSupport, a component of Ruby on Rails. The issue arises because the SafeBuffer subclass, which marks strings as html_safe after sanitization, does not properly handle the bytesplice method introduced in Ruby 3.2. When bytesplice is called on a SafeBuffer with untrusted user input, the html_safe tag is not removed, allowing the mutated string to be treated as safe even though it may contain malicious content [1][2].

Exploitation

To exploit this vulnerability, an attacker must be able to supply untrusted input that is passed to the bytesplice method on a SafeBuffer object. This requires the application to be running on Ruby 3.2 or later, as earlier Ruby versions do not have the bytesplice method. The attacker does not need authentication if the vulnerable code path is exposed to unauthenticated users, but the specific attack surface depends on how the application uses SafeBuffer and bytesplice [2].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML or JavaScript into a page that would otherwise be considered safe. This can lead to cross-site scripting (XSS) attacks, potentially enabling session theft, defacement, or phishing. The CVSS v3 base score is 5.3 (Medium), reflecting the need for specific conditions (Ruby 3.2 and untrusted input on bytesplice) [1].

Mitigation

The vulnerability is fixed in Rails versions 7.0.4.3 and 6.1.7.3. Users unable to upgrade immediately should avoid calling bytesplice on a SafeBuffer with untrusted user input. Patches for the 6.1 and 7.0 series are available from the Rails security advisory [2]. Users on unsupported releases are advised to upgrade as soon as possible.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
activesupportRubyGems	>= 7.0.0, < 7.0.4.3	7.0.4.3
activesupportRubyGems	< 6.1.7.3	6.1.7.3

Affected products

Rails/RailsOSV
Range: v0.10.0, v0.10.1, v0.11.0, …
Rails/ActiveSupportllm-create
ghsa-coords27 versions
pkg:gem/activesupport pkg:rpm/opensuse/rmt-server&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/rmt-server&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/rmt-server&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/rubygem-activesupport-7.0&distro=openSUSE%20Tumbleweed pkg:rpm/suse/rmt-server&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/rmt-server&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP1 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP2 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/rmt-server&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/rmt-server&distro=SUSE%20Manager%20Server%204.2
>= 7.0.0, < 7.0.4.3+ 26 more
- (no CPE)range: >= 7.0.0, < 7.0.4.3
- (no CPE)range: < 2.13-150400.3.12.1
- (no CPE)range: < 2.13-150500.3.3.1
- (no CPE)range: < 2.12-1.1
- (no CPE)range: < 7.0.4.3-1.1
- (no CPE)range: < 2.13-150200.3.32.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150100.3.45.1
- (no CPE)range: < 2.13-150200.3.32.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150100.3.45.1
- (no CPE)range: < 2.13-150200.3.32.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150400.3.12.1
- (no CPE)range: < 2.13-150500.3.3.1
- (no CPE)range: < 2.13-150400.3.12.1
- (no CPE)range: < 2.13-150500.3.3.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150100.3.45.1
- (no CPE)range: < 2.13-150200.3.32.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150100.3.45.1
- (no CPE)range: < 2.13-150200.3.32.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150300.3.24.1
- (no CPE)range: < 2.13-150300.3.24.1

Patches

3cf23c3f891e

Implement SafeBuffer#bytesplice

https://github.com/rails/railsAkira MatsudaJan 4, 2023via ghsa

commit

2 files changed · +34 −0

activesupport/lib/active_support/core_ext/string/output_safety.rb+4 −0 modified

@@ -216,6 +216,10 @@ def concat(value)
     end
     alias << concat
 
+    def bytesplice(*args, value)
+      super(*args, implicit_html_escape_interpolated_argument(value))
+    end
+
     def insert(index, value)
       super(index, html_escape_interpolated_argument(value))
     end

activesupport/test/core_ext/string_ext_test.rb+30 −0 modified

@@ -987,6 +987,36 @@ def to_s
     assert_predicate string, :html_safe?
   end
 
+  if "".respond_to?(:bytesplice)
+    test "Bytesplicing safe into safe yields safe" do
+      string = "hello".html_safe
+      string.bytesplice(0, 0, "<b>".html_safe)
+
+      assert_equal "<b>hello", string
+      assert_predicate string, :html_safe?
+
+      string = "hello".html_safe
+      string.bytesplice(0..1, "<b>".html_safe)
+
+      assert_equal "<b>llo", string
+      assert_predicate string, :html_safe?
+    end
+
+    test "Bytesplicing unsafe into safe yields escaped safe" do
+      string = "hello".html_safe
+      string.bytesplice(1, 0, "<b>")
+
+      assert_equal "h&lt;b&gt;ello", string
+      assert_predicate string, :html_safe?
+
+      string = "hello".html_safe
+      string.bytesplice(1..2, "<b>")
+
+      assert_equal "h&lt;b&gt;lo", string
+      assert_predicate string, :html_safe?
+    end
+  end
+
   test "emits normal string yaml" do
     assert_equal "foo".to_yaml, "foo".html_safe.to_yaml(foo: 1)
   end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000