CVE-2025-55193
2.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
Summary
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rails | rails | >= 0, < 7.1.5.2 | affected |
| rails | rails | >= 7.2, < 7.2.2.2 | affected |
| rails | rails | >= 8.0, < 8.0.2.1 | affected |
Weaknesses
- CWE-150: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
- https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
- https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
- https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.