DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33170: CVE-2026-33170: Cross-Site Scripting (XSS) via SafeBuffer State Loss in Rails Active Support

#security #cve #cybersecurity

CVE-2026-33170: Cross-Site Scripting (XSS) via SafeBuffer State Loss in Rails Active Support

Vulnerability ID: CVE-2026-33170
CVSS Score: 5.3
Published: 2026-03-23

CVE-2026-33170 is a Cross-Site Scripting (XSS) vulnerability within the Active Support component of Ruby on Rails. The flaw resides in the SafeBuffer#% formatting operator, which fails to correctly propagate internal state regarding HTML safety when creating new string instances. This oversight allows maliciously crafted, destructively mutated strings to bypass Rails' ERB auto-escaping mechanisms, potentially leading to arbitrary JavaScript execution in the context of the user's session.

TL;DR

A state-tracking failure in Rails Active Support's SafeBuffer#% method permits Cross-Site Scripting (XSS). Destructively mutated strings lose their unsafe flag upon formatting, bypassing ERB auto-escaping and rendering malicious payloads.

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0: 5.3 (Medium)
  • EPSS Score: 0.0
  • Exploit Status: None
  • CISA KEV: Not Listed

Affected Systems

  • Ruby on Rails (activesupport component)
  • activesupport: < 7.2.3.1 (Fixed in: 7.2.3.1)
  • activesupport: >= 8.0.0.beta1, < 8.0.4.1 (Fixed in: 8.0.4.1)
  • activesupport: >= 8.1.0.beta1, < 8.1.2.1 (Fixed in: 8.1.2.1)

Code Analysis

Commit: 50d732a

Ensure SafeBuffer#% and * propagate @html_unsafe state

Commit: 6e8a811

Secondary fix commit for SafeBuffer formatting safety

Commit: c1ad0e8

Additional test coverage and refinement for SafeBuffer fix

Mitigation Strategies

  • Update the activesupport gem to the latest patched version.
  • Avoid using destructive 'bang' methods (like gsub!) on SafeBuffer strings.
  • Audit codebases for instances where SafeBuffer objects are mutated and subsequently formatted.

Remediation Steps:

  1. Identify the current Rails version running in the application by checking the Gemfile.lock.
  2. Update the activesupport dependency to version 7.2.3.1, 8.0.4.1, or 8.1.2.1 depending on the current branch.
  3. Execute the application test suite to ensure that string formatting behavior remains functional and regressions are not introduced.
  4. Deploy the updated application dependencies to the production environment.

References

Read the full report for CVE-2026-33170 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)