Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33170 is a cross-site scripting (XSS) vulnerability in the SafeBuffer#% method of the Active Support component in Ruby on Rails. The issue occurs because the method fails to propagate the @html_unsafe flag to the newly created buffer after formatting. If a SafeBuffer object is mutated in place (e.g., using gsub!) and then formatted with the % operator using untrusted input, the resulting buffer incorrectly reports html_safe? as true. This misreporting bypasses ERB's automatic HTML escaping, potentially allowing malicious scripts to be injected and executed."}, {'type': 'paragraph', 'content': 'The vulnerability affects versions of the activesupport Ruby gem before 8.1.2.1, 8.0.4.1, and 7.2.3.1, which contain patches that fix this issue by ensuring the unsafe status of buffers is preserved during formatting operations.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to cross-site scripting (XSS) attacks in applications using affected versions of Ruby on Rails. Because the SafeBuffer#% method incorrectly marks unsafe buffers as safe after formatting, malicious input may bypass ERB's automatic HTML escaping."}, {'type': 'paragraph', 'content': 'As a result, attackers could inject and execute arbitrary scripts in the context of the affected web application, potentially compromising user data, session information, or performing unauthorized actions on behalf of users.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is related to the Ruby on Rails Active Support component, specifically the SafeBuffer#% method mishandling the HTML safety flag during string formatting. Detection involves identifying if your application uses vulnerable versions of the activesupport Ruby gem (versions >= 8.1 and < 8.1.2.1, >= 8.0 and < 8.0.4.1, or < 7.2.3.1).

To detect if your system is vulnerable, you can check the installed version of the activesupport gem by running the following command in your application environment:

• gem list activesupport

If the version falls within the vulnerable ranges, your system is susceptible to this issue.

Additionally, you can audit your application code for usage of the SafeBuffer#% method combined with in-place mutations like gsub! and untrusted input formatting, which could lead to XSS vulnerabilities.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the activesupport Ruby gem to a patched version where this vulnerability is fixed.

• Upgrade to activesupport version 8.1.2.1 or later if you are on the 8.1 series.
• Upgrade to activesupport version 8.0.4.1 or later if you are on the 8.0 series.
• Upgrade to activesupport version 7.2.3.1 or later if you are on the 7.x series.

These updates ensure that the SafeBuffer#% method correctly preserves the HTML safety status of buffers after formatting, preventing unsafe buffers from being mistakenly treated as safe and mitigating potential XSS risks.

If immediate upgrading is not possible, review and sanitize any untrusted input used in string formatting operations involving SafeBuffer, and avoid in-place mutations like gsub! on SafeBuffer instances before formatting.

Useful 0 Not Useful 0