CVE-2019-16676

Name of the Vulnerable Software and Affected Versions Plataformatec Simple Form versions prior to 5.0

Description The issue is related to incorrect access control in the file method? function, located in lib/simple form/form builder.rb. This allows a user-supplied string to be invoked as a method call, potentially leading to code execution, denial of service, or information disclosure. For example, an attacker could manipulate input to call actions like #destroy or execute computation-intensive methods. The issue only affects pages that build forms based on user-provided input.

Recommendations For versions prior to 5.0, upgrade to version 5.0 to fix the issue. As a temporary workaround, consider explicitly passing the input type using the as option, such as <%= form.input :avatar, as: :file %>, to avoid relying on Simple Form's automatic discovery of input types. If your application does not build forms based on user-provided input, you are not affected by this issue.