Rails, XSS in Action Pack debug exceptions, CVE pending (Low)

Listen to this Post

The vulnerability stems from the Action Pack debug exceptions page (the detailed error page shown when config.consider_all_requests_local = true) failing to escape exception messages. When an application raises an exception, the message is embedded directly into the HTML response without sanitization. An attacker who can control part of an exception message—for instance, by crafting a request that triggers a deliberate error with a malicious string—can inject arbitrary HTML or JavaScript. Because the debug page is designed for development, it is typically enabled only in non‑production environments, but if exposed (e.g., through misconfiguration or staging) it becomes an attack vector. The injection occurs in the context of the Rails application’s domain, allowing execution of scripts that could steal session cookies, perform CSRF, or redirect users. The issue resides in `ActionDispatch::ExceptionWrapper` and the corresponding views; the exception message is interpolated without calling html_escape. The fix adds proper escaping to all user‑supplied data displayed on the debug page. Any application that runs with `consider_all_requests_local = true` and allows remote users to influence exception messages (e.g., via parameters that later raise a formatted error) is vulnerable. The vulnerability is classified as low severity because it requires the debug mode to be active and an attacker to find a way to inject content into a raised exception; nevertheless, it can be chained with other bugs to escalate impact.

dailycve form:

Platform: Ruby on Rails
Version: All vulnerable versions
Vulnerability: XSS in debug
Severity: Low
date: Mar 23 2026

Prediction: Already patched Mar23

Analytics under heading What Undercode Say:

Check current Rails version
rails -v
Identify vulnerable versions (e.g., < 7.0.9, < 6.1.7.8)
bundle list | grep rails
Simulate a vulnerable exception message
curl -v 'http://localhost:3000/raise?msg=<script>alert("XSS")</script>'
Verify patch by testing after update
bundle update rails

how Exploit:

An attacker can trigger a controlled exception by sending a request that causes the app to raise an error with a crafted message, e.g., a malformed parameter that is used in a `raise` statement. When the debug page renders, the script executes in the victim’s browser if they view the error page.

Protection from this CVE

Upgrade Rails to the patched versions (7.0.9+, 6.1.7.8+, or 7.1.x containing the fix). Set `config.consider_all_requests_local = false` in production and staging environments. If detailed error pages must remain, apply the patch manually by backporting the escaping change to actionpack/lib/action_dispatch/middleware/debug_exceptions.rb.

Impact:

XSS can lead to session hijacking, theft of cookies, arbitrary actions performed on behalf of the user, and exposure of internal debugging information.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top