VYPR
← All advisories
Medium severity6.1NVD Advisory· Published May 7, 2026· Updated May 8, 2026

CVE-2025-67202

CVE-2025-67202

Description

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sidekiq-cronRubyGems
< 2.4.02.4.0

Affected products

1

Patches

1
7b4ae4822f93

Fix reflected XSS on Sidekiq-UI. (#568)

https://github.com/sidekiq-cron/sidekiq-cronFlorian WiningerDec 1, 2025via ghsa
commit
2 files changed · +12 10
  • lib/sidekiq/cron/views/cron.erb+6 5 modified
    @@ -2,23 +2,24 @@
   <header>
     <h2>
       <%= t('CronJobs') %>
-      <small>(<%= @current_namespace %>)</small>
+      <small>(<%= CGI.escapeHTML(@current_namespace.to_s) %>)</small>
     </h2>
     <% if @cron_jobs.size > 0 %>
+      <% escaped_current_namespace = CGI.escape(@current_namespace) %>
       <div class="filter buttons-row">
-        <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/delete" method="post">
+        <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/delete" method="post">
           <%= csrf_tag %>
           <input class="btn btn-danger" type="submit" name="delete" value="<%= t('DeleteAll') %>" data-confirm="<%= t('AreYouSureDeleteCronJobs') %>" />
         </form>
-        <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/disable" method="post">
+        <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/disable" method="post">
           <%= csrf_tag %>
           <input class="btn btn-primary" type="submit" name="enqueue" value="<%= t('DisableAll') %>" />
         </form>
-        <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/enable" method="post">
+        <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/enable" method="post">
           <%= csrf_tag %>
           <input class="btn btn-primary" type="submit" name="enqueue" value="<%= t('EnableAll') %>" />
         </form>
-        <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/enqueue" method="post">
+        <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/enqueue" method="post">
           <%= csrf_tag %>
           <input class="btn btn-primary" type="submit" name="enqueue" value="<%= t('EnqueueAll') %>" data-confirm="<%= t('AreYouSureEnqueueCronJobs') %>" />
         </form>
  • lib/sidekiq/cron/views/legacy/cron.erb+6 5 modified
    @@ -2,24 +2,25 @@
   <div class='col-sm-5 pull-left'>
     <h3>
       <%= t('CronJobs') %>
-      <small><%= @current_namespace %></small>
+      <small><%= CGI.escapeHTML(@current_namespace.to_s) %></small>
     </h3>
   </div>
   <div class='col-sm-7 pull-right h2'>
     <% if @cron_jobs.size > 0 %>
-      <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/delete" method="post" class="pull-right">
+      <% escaped_current_namespace = CGI.escape(@current_namespace) %>
+      <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/delete" method="post" class="pull-right">
         <%= csrf_tag %>
         <input class="btn btn-danger" type="submit" name="delete" value="<%= t('DeleteAll') %>" data-confirm="<%= t('AreYouSureDeleteCronJobs') %>" />
       </form>
-      <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/disable" method="post" class="pull-right">
+      <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/disable" method="post" class="pull-right">
         <%= csrf_tag %>
         <input class="btn btn-warn" type="submit" name="enqueue" value="<%= t('DisableAll') %>" />
       </form>
-      <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/enable" method="post" class="pull-right">
+      <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/enable" method="post" class="pull-right">
         <%= csrf_tag %>
         <input class="btn btn-warn" type="submit" name="enqueue" value="<%= t('EnableAll') %>" />
       </form>
-      <form action="<%= root_path %>cron/namespaces/<%= @current_namespace %>/all/enqueue" method="post" class="pull-right">
+      <form action="<%= root_path %>cron/namespaces/<%= escaped_current_namespace %>/all/enqueue" method="post" class="pull-right">
         <%= csrf_tag %>
         <input class="btn btn-warn" type="submit" name="enqueue" value="<%= t('EnqueueAll') %>" data-confirm="<%= t('AreYouSureEnqueueCronJobs') %>" />
       </form>

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.