VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 22, 2023· Updated Apr 23, 2025

Resque vulnerable to reflected XSS in Queue Endpoint

CVE-2023-50727

Description

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /"><svg%20onload=alert(domain)>. This issue has been patched in version 2.6.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Resque < 2.6.0 has a reflected XSS in the /queues endpoint allowing arbitrary JS execution via crafted URL.

Root

Cause Resque, a Redis-backed Ruby library for background jobs, suffers from a reflected cross-site scripting (XSS) vulnerability in its web frontend. The /queues endpoint does not properly sanitize user-supplied input, allowing an attacker to inject arbitrary HTML and JavaScript by appending a malicious query string to the URL [1][2][3]. The official advisory demonstrates that appending /"><svg%20onload=alert(domain)> triggers script execution in the victim's browser [3].

Attack

Vector An attacker can exploit this issue by crafting a specially formed URL and enticing a user to click on it (e.g., via phishing, social media, or a malicious link). No authentication or special network position is required beyond network access to the Resque web interface. The attack is fully reflected: the malicious payload is part of the request and is echoed back in the response without proper encoding [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Resque web interface. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Since Resque is commonly used for monitoring background jobs in development and production environments, the impact may be elevated if the web UI is exposed to untrusted users.

Remediation

The vulnerability has been patched in Resque version 2.6.0 [3]. Users are strongly advised to upgrade to this version or later. If immediate upgrade is not possible, restricting access to the Resque web interface (e.g., firewalls, VPN, or authentication proxies) can reduce the attack surface [1][4]. The vendor also maintains a separate Ruby advisory database entry tracking this CVE [4].

References
  1. GitHub - resque/resque: Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later.
  2. Fix reflected XSS in queue by priya-hinduja · Pull Request #1865 · resque/resque
  3. NVD - CVE-2023-50727
  4. ruby-advisory-db/gems/resque/CVE-2023-50727.yml at master · rubysec/ruby-advisory-db

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
resqueRubyGems
< 2.6.02.6.0

Affected products

2

Patches

1
7623b8dfbdd0

Fix reflected XSS in queue

https://github.com/resque/resquePriya HindujaMar 7, 2023via ghsa
commit
1 file changed · +1 1
  • lib/resque/server/views/queues.erb+1 1 modified
    @@ -3,7 +3,7 @@
 <% if current_queue = params[:id] %>
 
   <h1>Pending jobs on <span class='hl'><%= h escape_html(current_queue) %></span></h1>
-  <form method="POST" action="<%=u "/queues/#{current_queue}/remove" %>" class='remove-queue'>
+  <form method="POST" action="<%=u "/queues/#{escape_html(current_queue)}/remove" %>" class='remove-queue'>
     <input type='submit' name='' value='Remove Queue' class="confirmSubmission" />
   </form>
   <p class='sub'><%= page_entries_info start = params[:start].to_i, start + 19, size = resque.size(current_queue), 'job' %></p>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.