RubyGems package
actionpack
pkg:gem/actionpack
Vulnerabilities (63)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33167 | — | >= 8.1.0, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript i | ||
| CVE-2023-28362 | Med | 4.0 | < 6.1.7.4 | 6.1.7.4 | Jan 9, 2025 | The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. | |
| CVE-2024-54133 | Low | — | >= 5.2.0, < 7.0.8.7 | 7.0.8.7 | Dec 10, 2024 | Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. App | |
| CVE-2024-47887 | Med | — | >= 4.0.0, < 6.1.7.9 | 6.1.7.9 | Oct 16, 2024 | Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP To | |
| CVE-2024-41128 | Med | — | >= 3.1.0, < 6.1.7.9 | 6.1.7.9 | Oct 16, 2024 | Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted | |
| CVE-2024-28103 | — | >= 6.1.0, < 6.1.7.8 | 6.1.7.8 | Jun 4, 2024 | Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3. | ||
| CVE-2024-26143 | — | >= 7.0.0, < 7.0.8.1 | 7.0.8.1 | Feb 27, 2024 | Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted | ||
| CVE-2024-26142 | — | >= 7.1.0, < 7.1.3.1 | 7.1.3.1 | Feb 27, 2024 | Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby | ||
| CVE-2023-22797 | — | >= 7.0.0, < 7.0.4.1 | 7.0.4.1 | Feb 9, 2023 | An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could a | ||
| CVE-2023-22795 | — | >= 4.0.0.beta1, < 6.1.7.1 | 6.1.7.1 | Feb 9, 2023 | A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Rub | ||
| CVE-2023-22792 | — | >= 3.0.0, < 5.2.8.15 | 5.2.8.15 | Feb 9, 2023 | A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This | ||
| CVE-2022-3704 | — | <= 7.0.4 | — | Oct 26, 2022 | A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack re | ||
| CVE-2022-22577 | — | >= 5.2.0, < 5.2.7.1 | 5.2.7.1 | May 26, 2022 | An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses. | ||
| CVE-2022-23633 | — | >= 5.0.0.0, < 5.2.6.2 | 5.2.6.2 | Feb 11, 2022 | Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next reques | ||
| CVE-2021-44528 | — | >= 6.0.0, < 6.0.4.2 | 6.0.4.2 | Jan 7, 2022 | A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. | ||
| CVE-2011-1497 | — | >= 3.0.0.rc, < 3.0.6 | 3.0.6 | Oct 19, 2021 | A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6. | ||
| CVE-2021-22942 | — | >= 6.0.0, < 6.0.4.1 | 6.0.4.1 | Oct 18, 2021 | A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. | ||
| CVE-2021-22904 | — | >= 6.0.0, < 6.0.3.7 | 6.0.3.7 | Jun 11, 2021 | The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` | ||
| CVE-2021-22903 | — | >= 6.1.0.rc2, < 6.1.3.2 | 6.1.3.2 | Jun 11, 2021 | The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This | ||
| CVE-2021-22902 | — | >= 6.0.0, < 6.0.3.7 | 6.0.3.7 | Jun 11, 2021 | The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser i |
- CVE-2026-33167Mar 23, 2026affected >= 8.1.0, < 8.1.2.1fixed 8.1.2.1
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript i
- affected < 6.1.7.4fixed 6.1.7.4
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
- affected >= 5.2.0, < 7.0.8.7fixed 7.0.8.7
Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. App
- affected >= 4.0.0, < 6.1.7.9fixed 6.1.7.9
Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP To
- affected >= 3.1.0, < 6.1.7.9fixed 6.1.7.9
Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted
- CVE-2024-28103Jun 4, 2024affected >= 6.1.0, < 6.1.7.8fixed 6.1.7.8
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
- CVE-2024-26143Feb 27, 2024affected >= 7.0.0, < 7.0.8.1fixed 7.0.8.1
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted
- CVE-2024-26142Feb 27, 2024affected >= 7.1.0, < 7.1.3.1fixed 7.1.3.1
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
- CVE-2023-22797Feb 9, 2023affected >= 7.0.0, < 7.0.4.1fixed 7.0.4.1
An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could a
- CVE-2023-22795Feb 9, 2023affected >= 4.0.0.beta1, < 6.1.7.1fixed 6.1.7.1
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Rub
- CVE-2023-22792Feb 9, 2023affected >= 3.0.0, < 5.2.8.15fixed 5.2.8.15
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This
- CVE-2022-3704Oct 26, 2022affected <= 7.0.4
A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack re
- CVE-2022-22577May 26, 2022affected >= 5.2.0, < 5.2.7.1fixed 5.2.7.1
An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.
- CVE-2022-23633Feb 11, 2022affected >= 5.0.0.0, < 5.2.6.2fixed 5.2.6.2
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next reques
- CVE-2021-44528Jan 7, 2022affected >= 6.0.0, < 6.0.4.2fixed 6.0.4.2
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
- CVE-2011-1497Oct 19, 2021affected >= 3.0.0.rc, < 3.0.6fixed 3.0.6
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
- CVE-2021-22942Oct 18, 2021affected >= 6.0.0, < 6.0.4.1fixed 6.0.4.1
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
- CVE-2021-22904Jun 11, 2021affected >= 6.0.0, < 6.0.3.7fixed 6.0.3.7
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token`
- CVE-2021-22903Jun 11, 2021affected >= 6.1.0.rc2, < 6.1.3.2fixed 6.1.3.2
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This
- CVE-2021-22902Jun 11, 2021affected >= 6.0.0, < 6.0.3.7fixed 6.0.3.7
The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser i
Page 1 of 4