CVE-2023-28362 – This vulnerability in Ruby on Rails allows atta... (How to Fix)

Q: What is the severity of CVE-2023-28362?

CVE-2023-28362 has a CVSS score of 4.0 (MEDIUM). This vulnerability in Ruby on Rails allows attackers to inject malicious characters into redirect URLs via the redirect_to method. When downstream services enforce RFC compliance on HTTP headers, they may strip the Location header entirely, potentially enabling cross-site scripting (XSS) attacks. All Rails applications using the redirect_to method with user-supplied values are affected.

📋 TL;DR

This vulnerability in Ruby on Rails allows attackers to inject malicious characters into redirect URLs via the redirect_to method. When downstream services enforce RFC compliance on HTTP headers, they may strip the Location header entirely, potentially enabling cross-site scripting (XSS) attacks. All Rails applications using the redirect_to method with user-supplied values are affected.

💻 Affected Systems

Products:

Ruby on Rails

Versions: All versions from 5.2.0 through 7.0.4.3, and 6.1.7.3 through 6.1.7.6

Operating Systems: All operating systems running affected Rails versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using redirect_to with user-supplied values. Applications that sanitize or validate redirect URLs before passing to redirect_to are less vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful XSS attack leading to session hijacking, credential theft, or complete account compromise.

🟠

Likely Case

Partial or complete disruption of redirect functionality, potentially enabling reflected XSS in specific browser configurations.

🟢

If Mitigated

Redirects fail or behave unexpectedly, but no security compromise occurs.

🌐 Internet-Facing: MEDIUM - Requires user interaction and specific conditions, but affects common Rails functionality.

🏢 Internal Only: LOW - Internal applications typically have trusted users and fewer attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (clicking a malicious link) and depends on downstream header validation. Proof-of-concept code is publicly available in advisory discussions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Rails 7.0.4.4 and 6.1.7.7

Vendor Advisory: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

Restart Required: Yes

Instructions:

1. Update Gemfile to specify patched Rails version (>=7.0.4.4 or >=6.1.7.7). 2. Run 'bundle update rails'. 3. Restart application server. 4. Test redirect functionality.

🔧 Temporary Workarounds

Input Validation Workaround

all

Validate and sanitize all user-supplied URLs before passing to redirect_to method

# In controller action:
redirect_to URI.parse(user_input).to_s if valid_redirect?(user_input)

Monkey Patch Fix

all

Apply temporary patch to sanitize redirect URLs

# In config/initializers/redirect_fix.rb:
module ActionController
  module Redirecting
    def redirect_to(options = {}, response_options = {})
      # Add sanitization logic here
    end
  end
end

🧯 If You Can't Patch

Implement strict input validation for all redirect URLs using allowlists of permitted domains
Deploy WAF rules to block malicious redirect patterns and monitor for suspicious Location headers

🔍 How to Verify

Check if Vulnerable:

Check Rails version with 'bundle show rails' or 'rails --version'. If version is between 5.2.0-7.0.4.3 or 6.1.7.3-6.1.7.6, check if application uses redirect_to with user input.

Check Version:

rails --version  # or bundle show rails

Verify Fix Applied:

Verify Rails version is >=7.0.4.4 or >=6.1.7.7. Test redirect functionality with various inputs to ensure Location headers are properly formed.

📡 Detection & Monitoring

Log Indicators:

Unusual redirect patterns in application logs
Failed redirect attempts with malformed URLs
Multiple redirects to unexpected domains

Network Indicators:

HTTP responses with missing or malformed Location headers
Redirects containing unusual characters in URLs

SIEM Query:

source="rails.log" AND "redirect_to" AND ("\n" OR "\r" OR "\0")

📊 Metadata

CVE ID: CVE-2023-28362

CVSS v3 Score: 4.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-116

EPSS Score: 0.22% exploit probability (44.9th percentile)

Published: January 9, 2025

Last Updated: May 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28362, you might also want to check these: