A vulnerability exists in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call to acheive remote code execution. This vulnerability has been assigned the CVE identifier CVE-2020-8163.


Users of Rails 5.0 should upgrade to a version >= 5.0.1. This release is already available on RubyGems.

Workaround: Until such time as the patch can be applied, application developers should ensure that all user-provided local names are alphanumeric.


Related Vulnerabilities