Akira Matsuda

**Name of the Vulnerable Software and Affected Versions** ActiveSupport versions prior to 7.0.4.3 ActiveSupport versions prior to 6.1.7.3 **Description** There is a vulnerability in ActiveSupport if the new `bytesplice` method is called on a `SafeBuffer` with untrusted user input. This issue arises because Ruby 3.2 introduced the `bytesplice` method, which ActiveSupport did not recognize as a mutation, potentially allowing tainted strings to remain marked as `html safe`. Users on older versions of Ruby are likely unaffected. **Recommendations** For versions prior to 7.0.4.3, upgrade to version 7.0.4.3 or later. For versions prior to 6.1.7.3, upgrade to version 6.1.7.3 or later. As a temporary workaround, avoid calling the `bytesplice` method on a `SafeBuffer` (html safe) string with untrusted user input.