Advisory Database
  • Advisories
  • Dependency Scanning
  1. gem
  2. ›
  3. actionview
  4. ›
  5. CVE-2019-5418

CVE-2019-5418: Path Traversal in Action View

March 13, 2019 (updated July 9, 2025)

File Content Disclosure in Action View

Impact

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:

class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file" 
  end 
end 

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.

Workarounds

This vulnerability can be mitigated by specifying a format for file rendering, like this:

class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file", formats: [:html] 
  end 
end 

In summary, impacted calls to render look like this:

render file: "#{Rails.root}/some/file" 

The vulnerability can be mitigated by changing to this:

render file: "#{Rails.root}/some/file", formats: [:html] 

Other calls to render are not impacted.

Alternatively, the following monkey patch can be applied in an initializer:

$ cat config/initializers/formats_filter.rb 
# frozen_string_literal: true 

ActionDispatch::Request.prepend(Module.new do 
  def formats 
    super().select do |format| 
      format.symbol || format.ref == "*/*" 
    end 
  end 
end) 

Credits

Thanks to John Hawthorn john@hawthorn.email of GitHub

References

  • access.redhat.com/errata/RHSA-2019:0796
  • access.redhat.com/errata/RHSA-2019:1147
  • access.redhat.com/errata/RHSA-2019:1149
  • access.redhat.com/errata/RHSA-2019:1289
  • github.com/advisories/GHSA-86g5-2wh3-gc9j
  • groups.google.com/forum/
  • groups.google.com/forum/
  • groups.google.com/forum/
  • lists.debian.org/debian-lts-announce/2019/03/msg00042.html
  • lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
  • nvd.nist.gov/vuln/detail/CVE-2019-5418
  • web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
  • weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
  • www.exploit-db.com/exploits/46585

Code Behaviors & Features

Detect and mitigate CVE-2019-5418 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 4.0.0 before 4.2.11.1, all versions starting from 5.0.0 before 5.0.7.2, all versions starting from 5.1.0 before 5.1.6.2, all versions starting from 5.2.0 before 5.2.2.1

Fixed versions

  • 5.2.2.1
  • 4.2.11.1
  • 5.1.6.2
  • 5.0.7.2

Solution

Upgrade to versions 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1 or above.

Impact 7.5 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Source file

gem/actionview/CVE-2019-5418.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 23 Aug 2025 00:20:08 +0000.