The Questionable Substitution: SQL Injection in JRuby's JDBC Adapter
Vulnerability ID: GHSA-5QW5-WF2Q-F538
CVSS Score: 8.8
Published: 2026-01-16
A recursive string substitution vulnerability in the activerecord-jdbc-adapter gem allowed attackers to inject malicious SQL by simply including a question mark in their input. This flaw affects JRuby applications connecting to databases via JDBC.
TL;DR
Older versions of the activerecord-jdbc-adapter (< 1.2.8) used a naive gsub strategy to replace SQL bind parameters (?). If a user input string contained a ?, the adapter effectively hallucinated a new placeholder, injecting the next bind parameter directly into the current string literal. This breaks SQL syntax and allows for classic SQL injection attacks.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: SQL Injection (Recursive Substitution)
- CWE ID: CWE-89
- CVSS Score: 8.8 (High)
- CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
- Attack Vector: Network
- Affected Component: lib/arjdbc/jdbc/adapter.rb
Affected Systems
- JRuby applications using ActiveRecord
- activerecord-jdbc-adapter < 1.2.8
-
activerecord-jdbc-adapter: < 1.2.8 (Fixed in:
1.2.8)
Exploit Details
- GHSA: Advisory containing PoC description
Mitigation Strategies
- Upgrade activerecord-jdbc-adapter to version >= 1.2.8 immediately.
- Audit custom SQL adapters or legacy code for usage of
gsubon SQL strings. - Ensure Arel visitor patterns are used for SQL generation in Ruby ORMs.
Remediation Steps:
- Check your
Gemfile.lockforactiverecord-jdbc-adapter. - If the version is < 1.2.8, run
bundle update activerecord-jdbc-adapter. - Verify the update by running
bundle show activerecord-jdbc-adapter. - Restart the JRuby application server.
References
Read the full report for GHSA-5QW5-WF2Q-F538 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)