Ruby on Rails Active Support SafeBuffer HTML Safety Bypass Vulnerability

A vulnerability exists in the Active Support component of Ruby on Rails, specifically in versions 8.1.2.1, 8.0.4.1, and prior to 7.2.3.1. The issue arises because the SafeBuffer#% method fails to correctly transfer the @html_unsafe flag to new buffers. This flaw can be exploited by manipulating a SafeBuffer in place (such as with gsub!) and then using the % method with untrusted inputs. The result mistakenly indicates that the buffer is safe for HTML, which can bypass automatic escaping in ERB and potentially lead to cross-site scripting (XSS) attacks.

Impact

Exploitation of this vulnerability can cause cross-site scripting (XSS) issues by allowing unsafe content to be treated as safe, bypassing necessary HTML escaping.

Reproduction

To reproduce this vulnerability, create a SafeBuffer and mark it as HTML safe. Then, use the gsub! method to mutate the buffer by replacing certain patterns with untrusted content. Afterward, apply the % formatting method. The resulting buffer will incorrectly report as HTML safe, despite containing untrusted data that could be used for XSS attacks.

Remediation

Users can upgrade to Active Support versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 to address this vulnerability.