actionpack Severe
Input Validation
Discovered 8 months ago
Published 10 months ago
Category: Input Validation
Severity: Severe

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >=, rails >=


In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying “untrusted” hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }

Note the mistaken use of each in the clean_up_params method in the above example.


Do not use the return values of each, each_value, or each_pair in your application.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> >=

Unaffected Versions

< 4.0.0