Advisory Database
  • Advisories
  • Dependency Scanning
  1. gem
  2. ›
  3. secure_headers
  4. ›
  5. CVE-2026-54163

CVE-2026-54163: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

July 10, 2026

secure_headers builds the Content-Security-Policy value by stitching every configured directive together with ; separators. Three directive builders (build_sandbox_list_directive, build_media_type_list_directive, build_report_to_directive) interpolate caller-supplied strings into that value without scrubbing ;, \r, or \n.

When an application forwards untrusted input into SecureHeaders.override_content_security_policy_directives (or append_…) for :sandbox, :plugin_types, or :report_to, an attacker can embed a literal ; and inject an arbitrary CSP directive into the header value. Because :sandbox and :plugin_types both sort alphabetically before :script_src in BODY_DIRECTIVES, the injected script-src lands earlier in the header and wins under the CSP first-occurrence rule, defeating the application’s real script-src. End result: an 'unsafe-inline' * policy is forced for inline <script> despite the configured strict CSP, giving full XSS reachability anywhere reflected or stored content meets one of these three sinks.

An existing ;/\n scrub is already present in the source-list builder (build_source_list_directive), but the three sibling builders here never received the same treatment and still emit caller bytes verbatim into the CSP value.

References

  • github.com/advisories/GHSA-rqq5-2gf9-4w4q
  • github.com/github/secure_headers/security/advisories/GHSA-rqq5-2gf9-4w4q
  • github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2026-54163.yml
  • nvd.nist.gov/vuln/detail/CVE-2026-54163
  • www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163

Code Behaviors & Features

Detect and mitigate CVE-2026-54163 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 7.3.0

Fixed versions

  • 7.3.0

Solution

Upgrade to version 7.3.0 or above.

Impact 4.7 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Source file

gem/secure_headers/CVE-2026-54163.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 11 Jul 2026 12:18:40 +0000.