CVE-2025-55193
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruby_on_rails | activerecord | 8.0.2.1 |
| ruby_on_rails | activerecord | 7.2.2.2 |
| ruby_on_rails | activerecord | 7.1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-150 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Active Record logging IDs passed to find or similar methods without escaping them. If these IDs contain unescaped ANSI sequences and are logged directly to the terminal, it may lead to unintended terminal behavior or security issues. The problem exists in versions prior to 7.1.5.2, 7.2.2.2, and 8.0.2.1 and has been fixed in those versions.
How can this vulnerability impact me? :
The vulnerability can cause unescaped ANSI sequences to be logged directly to the terminal, which may result in unexpected terminal output or potential security risks such as terminal manipulation or information disclosure. However, the CVSS score is low (2.7), indicating limited impact.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Active Record to version 7.1.5.2, 7.2.2.2, or 8.0.2.1 or later, as these versions contain the patch that fixes the issue with unescaped ANSI sequences being logged.