Jean Boussier

**Name of the Vulnerable Software and Affected Versions** Active Support versions prior to 8.1.2.1 Active Support versions prior to 8.0.4.1 Active Support versions prior to 7.2.3.1 **Description** The `SafeBuffer#%` function does not correctly propagate the `@html unsafe` flag to newly created buffers. If a `SafeBuffer` is modified in place, such as through the `gsub!` function, and then formatted using the `%` operator with untrusted input, the resulting buffer may incorrectly report as `html safe? == true`. This can bypass ERB auto-escaping, potentially leading to cross-site scripting (XSS). **Recommendations** Update to Active Support version 8.1.2.1 or later. Update to Active Support version 8.0.4.1 or later. Update to Active Support version 7.2.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Rails versions prior to 8.1.2.1 Rails versions prior to 8.0.4.1 Rails versions prior to 7.2.3.1 **Description** Active Storage in Rails applications allows users to attach files from cloud and local sources. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the `DirectUploadsController` accepts arbitrary metadata from a client and stores it with the file. Internal flags, such as `identified` and `analyzed`, are stored within the same metadata. This allows a malicious client to manipulate these flags, bypassing MIME detection and analysis. An attacker can upload arbitrary content while falsely claiming a safe `content type`, circumventing validations that depend on Active Storage’s automatic content type identification. The `DirectUploadsController` is the component affected by this issue. **Recommendations** Update to Rails version 8.1.2.1 or later. Update to Rails version 8.0.4.1 or later. Update to Rails version 7.2.3.1 or later.