Ruby on Rails Active Record
Moderate fix3 remedies
cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:ruby:*:*
Moderate fix3 remedies
- >= 8.0, < 8.0.2.1
- >= 7.2, < 7.2.2.2
- >= 0, < 7.1.5.2
Ruby on Rails Active Record ANSI Escape Injection Vulnerability
Vulnerability
Patched
A vulnerability in Ruby on Rails Active Record allows for ANSI escape injection through unescaped IDs logged by methods like 'find'. This issue is present in Active Record versions prior to 7.1.5.2, 7.2.2.2, and 8.0.2.1. The vulnerability arises because the ID can be logged directly to the terminal without proper escaping, potentially leading to the execution of unescaped ANSI sequences.
Impact
Exploitation of this vulnerability could result in ANSI escape injection, allowing for the manipulation of terminal output through unescaped ANSI sequences.
Reproduction
The vulnerability can be reproduced by using the 'find' method or similar ID-retrieving methods in Active Record versions prior to the patched releases. When an ID containing unescaped ANSI sequences is used, the injection can be observed if the output is directed to the terminal.
Remediation
Users can upgrade to Active Record versions 7.1.5.2, 7.2.2.2, or 8.0.2.1 to address this vulnerability.
Added: Aug 13, 2025, 11:23 PM
Updated: Aug 13, 2025, 11:23 PM
Vulnerability Rating
Custom Algorithm
spread
5.4impact
0.6exploitability
5.7remediation
7.7relevance
0.3threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.