chore: update dependency activesupport to v7.2.3.1 [security]#283
Open
chore: update dependency activesupport to v7.2.3.1 [security]#283
Conversation
judo-ci
changed the title
Signed-off-by: judo-ci <devops@judopay.com>
judo-ci
changed the title
judo-ci
force-pushed
the
chore/NONE/rubygems-activesupport-vulnerability
branch
2 times, most recently
from
105fe21 to
97cc67d
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.2.3→7.2.3.1Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
CVE-2026-33170 / GHSA-89vf-4333-qx8v
More information
Details
Impact
SafeBuffer#%does not propagate the@html_unsafeflag to the newly created buffer. If aSafeBufferis mutated in place (e.g. viagsub!) and then formatted with%using untrusted arguments, the result incorrectly reportshtml_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.Releases
The fixed releases are available at the normal locations.
Credit
This issue was responsibly reported by @ch4n3-yoon
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
CVE-2026-33169 / GHSA-cg4j-q9v8-6v38
More information
Details
Impact
NumberToDelimitedConverterused a regular expression withgsub!to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.Releases
The fixed releases are available at the normal locations.
Credit
This issue was responsibly reported by Hackerone researcher scyoon.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Rails Active Support has a possible DoS vulnerability in its number helpers
CVE-2026-33176 / GHSA-2j26-frm8-cmj9
More information
Details
Impact
Active Support number helpers accept strings containing scientific notation (e.g.
1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.Releases
The fixed releases are available at the normal locations.
Credit
This issue was responsibly reported by Hackerone researcher manun.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
rails/rails (activesupport)
v7.2.3.1: 7.2.3.1Compare Source
Active Support
Reject scientific notation in NumberConverter
[CVE-2026-33176]
Jean Boussier
Fix
SafeBuffer#%to preserve unsafe status[CVE-2026-33170]
Jean Boussier
Improve performance of NumberToDelimitedConverter
[CVE-2026-33169]
Jean Boussier
Active Model
Active Record
Action View
Skip blank attribute names in tag helpers to avoid generating invalid HTML.
[CVE-2026-33168]
Mike Dalessio
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Filter user supplied metadata in DirectUploadController
[CVE-2026-33173]
Jean Boussier
Configurable maxmimum streaming chunk size
Makes sure that byte ranges for blobs don't exceed 100mb by default.
Content ranges that are too big can result in denial of service.
[CVE-2026-33174]
Gannon McGibbon
Limit range requests to a single range
[CVE-2026-33658]
Jean Boussier
Prevent path traversal in
DiskService.DiskService#path_fornow raises anInvalidKeyErrorwhen passed keys with dot segments (".",".."), or if the resolved path is outside the storage root directory.
#path_foralso now consistently raisesInvalidKeyErrorif the key is invalid in any way, forexample containing null bytes or having an incompatible encoding. Previously, the exception
raised may have been
ArgumentErrororEncoding::CompatibilityError.DiskControllernow explicitly rescuesInvalidKeyErrorwith appropriate HTTP status codes.[CVE-2026-33195]
Mike Dalessio
Prevent glob injection in
DiskService#delete_prefixed.Escape glob metacharacters in the resolved path before passing to
Dir.glob.Note that this change breaks any existing code that is relying on
delete_prefixedto expandglob metacharacters. This change presumes that is unintended behavior (as other storage services
do not respect these metacharacters).
[CVE-2026-33202]
Mike Dalessio
Action Mailbox
Action Text
Railties
Guides
This PR has been generated by Mend Renovate.