CVE-2021-39197

Name of the Vulnerable Software and Affected Versions better errors versions prior to 2.8.0

Description better errors is an open source replacement for the standard Rails error page with more information rich error pages, also usable outside of Rails in any Rack app as Rack middleware. The issue arises from the lack of CSRF protection for its internal requests and the failure to enforce the correct "Content-Type" header, allowing cross-origin "simple requests" without CORS protection. This leaves applications with better errors enabled open to cross-origin attacks. As a developer tool, better errors documentation recommends limiting its use to the development bundle group, suggesting this vulnerability primarily affects development environments.

Recommendations To resolve the issue, upgrade to the latest release of better errors, or minimally to version "~> 2.8.3". Ensure your project limits better errors to the development group (or the non-Rails equivalent) to minimize exposure. There are no known workarounds to mitigate the risk of using older releases of better errors.