CVE-2024-32887
Description
Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-32887 is a reflected XSS vulnerability in Sidekiq's Web UI where the substr parameter is returned without encoding, allowing JavaScript injection.
Vulnerability
CVE-2024-32887 is a reflected cross-site scripting (XSS) vulnerability affecting Sidekiq, a background processing library for Ruby. The flaw exists in the Web UI component, where the value of the substr parameter is reflected in the server's response without any encoding or sanitization. This permits an attacker to inject arbitrary JavaScript code into the response [1].
Exploitation
An attacker can exploit this by crafting a malicious link containing the injected payload in the substr parameter. The victim must be logged into the Sidekiq Web UI and click the link. Because the Web UI is often hosted on the same domain as other applications, users of those applications could also be affected, potentially widening the attack surface [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This could lead to account compromise, forced actions on behalf of the user, theft of sensitive data, cross-origin attacks (CORS), or defacement of the web application [1].
Mitigation
The vulnerability has been patched in Sidekiq version 7.2.4 [3]. The fix includes proper encoding of the substr parameter before reflecting it in the response [2]. Users are strongly advised to upgrade to the latest version. As of this writing, there is no evidence that this CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sidekiqRubyGems | >= 7.2.0, < 7.2.4 | 7.2.4 |
Affected products
9- osv-coords8 versionspkg:deb/ubuntu/ruby-sidekiq@4.0.1+dfsg-2?arch=source&distro=esm-apps/xenialpkg:deb/ubuntu/ruby-sidekiq@5.0.4+dfsg-2?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/ruby-sidekiq@5.2.7+dfsg-1?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/ruby-sidekiq@6.3.1+dfsg-1?arch=source&distro=jammypkg:deb/ubuntu/ruby-sidekiq@6.5.12+dfsg-1?arch=source&distro=noblepkg:deb/ubuntu/ruby-sidekiq@6.5.12+dfsg-1?arch=source&distro=oracularpkg:deb/ubuntu/ruby-sidekiq@7.3.2+dfsg-1?arch=source&distro=pluckypkg:gem/sidekiq
>= 0+ 7 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 7.2.0, < 7.2.4
Patches
13 files changed · +8 −2
Changes.md+6 −0 modified@@ -2,6 +2,12 @@ [Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md) +7.2.4 +---------- + +- Fix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887 + Thanks to @UmerAdeemCheema for the security report. + 7.2.3 ----------
lib/sidekiq/version.rb+1 −1 modified@@ -1,6 +1,6 @@ # frozen_string_literal: true module Sidekiq - VERSION = "7.2.3" + VERSION = "7.2.4" MAJOR = 7 end
web/views/metrics.erb+1 −1 modified@@ -12,7 +12,7 @@ <form id="metrics-form" class="form-inline" action="<%= root_path %>filter/metrics" method="post"> <%= csrf_tag %> <label for="substr"><%= t('Filter') %></label> - <input id="class-filter" class="form-control" type="text" name="substr" placeholder="<%= t('Name') %>" value="<%= params[:substr] %>"> + <input id="class-filter" class="form-control" type="text" name="substr" placeholder="<%= t('Name') %>" value="<%= h params[:substr] %>"> <select id="period-selector" class="form-control" name="period"> <% @periods.each_key do |code| %> <% if code == @period %>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-q655-3pj8-9fxqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32887ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/sidekiq/CVE-2024-32887.ymlghsaWEB
- github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164dnvdWEB
- github.com/sidekiq/sidekiq/releases/tag/v7.2.4nvdWEB
- github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxqnvdWEB
News mentions
0No linked articles in our index yet.