Resque vulnerable to reflected cross site scripting through pathname
Description
Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the queues endpoint, allowing attackers to inject malicious scripts.
Vulnerability
Resque-web in Resque versions prior to 2.1.0 is vulnerable to reflected cross-site scripting (XSS) through the current_queue parameter in the path of the /queues endpoint [2]. The parameter is rendered directly into the page without proper escaping, enabling script injection.
Exploitation
An attacker can exploit this by crafting a URL containing malicious JavaScript in the current_queue parameter and tricking a user into clicking it. No authentication is required if the web interface is exposed, making it exploitable in default deployments [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the user's browser session, potentially leading to cookie theft, session hijacking, or other malicious actions [2].
Mitigation
The vulnerability is patched in Resque version 2.1.0. The fix, introduced in pull request #1687 [3] and merged in commit e8e2367 [4], uses ERB::Util.html_escape to sanitize the output.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
resqueRubyGems | < 2.1.0 | 2.1.0 |
Affected products
2- resque/resquev5Range: < 2.1.0
Patches
1e8e2367fff69Merge pull request #1687 from brianvans/queues_view_xss
1 file changed · +1 −1
lib/resque/server/views/queues.erb+1 −1 modified@@ -2,7 +2,7 @@ <% if current_queue = params[:id] %> - <h1>Pending jobs on <span class='hl'><%= current_queue %></span></h1> + <h1>Pending jobs on <span class='hl'><%= h current_queue %></span></h1> <form method="POST" action="<%=u "/queues/#{current_queue}/remove" %>" class='remove-queue'> <input type='submit' name='' value='Remove Queue' onclick='return confirm("Are you absolutely sure? This cannot be undone.");' /> </form>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-r8xx-8vm8-x6wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50724ghsaADVISORY
- github.com/resque/resque/commit/e8e2367fff6990d13109ec2483a456a05fbf9811ghsaWEB
- github.com/resque/resque/issues/1679ghsax_refsource_MISCWEB
- github.com/resque/resque/pull/1687ghsax_refsource_MISCWEB
- github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wjghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50724.ymlghsaWEB
News mentions
0No linked articles in our index yet.