Resque vulnerable to reflected XSS in resque-web failed and queues lists
Description
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=" and "/queues/>". This issue has been patched in version 2.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in resque-web via unsanitized parameters in failed jobs and queues pages; patched in version 2.2.1.
CVE-2023-50725 describes a reflected cross-site scripting (XSS) vulnerability in resque-web, the web interface for the Resque background job library [2]. The issue stems from unsanitized user input in the class and queue parameters on the failed jobs page and the key parameter on the queues page, allowing arbitrary HTML/JavaScript injection into the response [1][3].
An attacker can exploit this by crafting a malicious URL such as /failed/?class= or /queues/>. No authentication or special privileges are required; the victim only needs to visit the crafted link while having access to the resque-web application [2].
Successful exploitation results in reflected XSS, enabling the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the resque-web domain. This could lead to session hijacking, data theft, or other malicious actions [2].
The vulnerability has been patched in Resque version 2.2.1. The fix involves escaping HTML output for the class, queue, and key parameters before rendering them in the view templates [3]. Users are advised to upgrade to the patched version as soon as possible.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
resqueRubyGems | < 2.2.1 | 2.2.1 |
Affected products
2- resque/resquev5Range: < 2.2.1
Patches
1ee99d2ed6cc7Escape HTML from the params to avoid XSS (#1790)
4 files changed · +6 −6
lib/resque/server/views/error.erb+1 −1 modified@@ -1 +1 @@ -<h1 style="font-size:110%;font-family:Arial, sans-serif;"><%= error %></h1> \ No newline at end of file +<h1 style="font-size:110%;font-family:Arial, sans-serif;"><%= escape_html(error) %></h1>
lib/resque/server/views/failed.erb+3 −3 modified@@ -1,12 +1,12 @@ <% if failed_multiple_queues? && !params[:queue] %> <h1>All Failed Queues: <%= Resque::Failure.queues.size %> total</h1> <% else %> -<h1>Failed Jobs <%= "on '#{params[:queue]}'" if params[:queue] %> <%= "with class '#{params[:class]}'" if params[:class] %></h1> +<h1>Failed Jobs <%= "on '#{escape_html(params[:queue])}'" if params[:queue] %> <%= "with class '#{escape_html(params[:class])}'" if params[:class] %></h1> <% end %> <% unless failed_size.zero? %> <form method="POST" action="<%= u "failed#{'/' + params[:queue] if params[:queue]}/clear" %>"> - <input type="submit" name="" value="Clear <%= params[:queue] ? "'#{params[:queue]}'" : 'Failed' %> Jobs" class="confirmSubmission" /> + <input type="submit" name="" value="Clear <%= params[:queue] ? "'#{escape_html(params[:queue])}'" : 'Failed' %> Jobs" class="confirmSubmission" /> </form> <% unless params[:queue] %> @@ -15,7 +15,7 @@ </form> <% end %> <form method="POST" action="<%= u "failed#{'/' + params[:queue] if params[:queue]}/requeue/all" %>"> - <input type="submit" name="" value="Retry <%= params[:queue] ? "'#{params[:queue]}'" : 'Failed' %> Jobs" class="confirmSubmission" /> + <input type="submit" name="" value="Retry <%= params[:queue] ? "'#{escape_html(params[:queue])}'" : 'Failed' %> Jobs" class="confirmSubmission" /> </form> <% end %>
lib/resque/server/views/key_string.erb+1 −1 modified@@ -1,5 +1,5 @@ <% if key = params[:key] %> - <h1>Key "<%= key %>" is a <%= resque.redis.type key %></h1> + <h1>Key "<%= escape_html(key) %>" is a <%= resque.redis.type key %></h1> <h2>size: <%= redis_get_size(key) %></h2> <table> <tr>
lib/resque/server/views/queues.erb+1 −1 modified@@ -2,7 +2,7 @@ <% if current_queue = params[:id] %> - <h1>Pending jobs on <span class='hl'><%= h current_queue %></span></h1> + <h1>Pending jobs on <span class='hl'><%= h escape_html(current_queue) %></span></h1> <form method="POST" action="<%=u "/queues/#{current_queue}/remove" %>" class='remove-queue'> <input type='submit' name='' value='Remove Queue' class="confirmSubmission" /> </form>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gc3j-vvwf-4rp8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50725ghsaADVISORY
- github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07ghsax_refsource_MISCWEB
- github.com/resque/resque/pull/1790ghsax_refsource_MISCWEB
- github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.ymlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.