Audited Log Integrity Errors Due to Race Condition
Description
A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Audited 4.0.0–5.3.3 allows authenticated users to manipulate audit log attribution.
Vulnerability
Description
A race condition exists in Audited (formerly acts_as_audited), a Ruby gem for logging model changes, in versions 4.0.0 through 5.3.3. The bug originates from the use of Thread.current to store the current user making changes, which is not thread-safe in concurrent environments. This can lead to audit log entries being attributed to an incorrect user when multiple requests are processed simultaneously [1][2].
Exploitation
An authenticated user can exploit this race condition by sending concurrent requests that trigger audit logging. The thread-local variable may be overwritten by another request's user context, causing the audit entry to be associated with a different user. The attack requires the ability to make authenticated requests and for the application to handle multiple requests concurrently [1][3].
Impact
Successful exploitation allows an attacker to cause audit log entries to be falsely attributed to another user, potentially framing that user or hiding the attacker's own actions. This undermines the integrity of the audit trail, which is critical for accountability and security monitoring in applications relying on Audited [3].
Mitigation
The issue is fixed in Audited version 5.3.3. Users are advised to upgrade to this version or later. The fix was implemented in pull request #669, which replaces Thread.current with RequestStore for thread-safe storage, and released in pull request #671 [1][4].
- Use RequestStore instead of Thread.current for thread-safe requests. by tiagocassio · Pull Request #669 · collectiveidea/audited
- GitHub - collectiveidea/audited: Audited (formerly acts_as_audited) is an ORM extension that logs all changes to your Rails models.
- NVD - CVE-2024-22047
- Preparing for release 5.3.3 by giovannism20 · Pull Request #671 · collectiveidea/audited
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
auditedRubyGems | >= 4.0.0, < 5.3.3 | 5.3.3 |
Affected products
1- Range: v4.0.0, v4.10.0, v4.2.0, …
Patches
1342734c9396dMerge pull request #669 from convisoappsec/main
3 files changed · +5 −13
audited.gemspec+1 −0 modified@@ -17,6 +17,7 @@ Gem::Specification.new do |gem| gem.required_ruby_version = ">= 2.3.0" gem.add_dependency "activerecord", ">= 5.0", "< 7.1" + gem.add_dependency "request_store", "~> 1.2" gem.add_development_dependency "appraisal" gem.add_development_dependency "rails", ">= 5.0", "< 7.1"
lib/audited.rb+2 −7 modified@@ -1,6 +1,7 @@ # frozen_string_literal: true require "active_record" +require "request_store" module Audited class << self @@ -24,13 +25,7 @@ def audit_class deprecate audit_model: "use Audited.audit_class instead of Audited.audit_model. This method will be removed." def store - current_store_value = Thread.current.thread_variable_get(:audited_store) - - if current_store_value.nil? - Thread.current.thread_variable_set(:audited_store, {}) - else - current_store_value - end + RequestStore.store[:audited_store] ||= {} end def config
spec/audited_spec.rb+2 −6 modified@@ -3,16 +3,12 @@ describe Audited do describe "#store" do describe "maintains state of store" do - let(:current_user) { "current_user" } + let(:current_user) { RequestStore.store[:audited_store] } before { Audited.store[:current_user] = current_user } - it "when executed without fibers" do + it "checks store is not nil" do expect(Audited.store[:current_user]).to eq(current_user) end - - it "when executed with Fibers" do - Fiber.new { expect(Audited.store[:current_user]).to eq(current_user) }.resume - end end end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-hjp3-5g2q-7jwwghsathird-party-advisoryADVISORY
- github.com/collectiveidea/audited/security/advisories/GHSA-hjp3-5g2q-7jwwghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-22047ghsaADVISORY
- vulncheck.com/advisories/vc-advisory-GHSA-hjp3-5g2q-7jwwmitrethird-party-advisory
- github.com/collectiveidea/audited/commit/342734c9396d8f96d3165f1d8531c626139fa4c6ghsaWEB
- github.com/collectiveidea/audited/issues/601ghsaissue-trackingWEB
- github.com/collectiveidea/audited/pull/669ghsarelatedWEB
- github.com/collectiveidea/audited/pull/671ghsarelatedWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/audited/CVE-2024-22047.ymlghsaWEB
News mentions
0No linked articles in our index yet.