CVE-2024-53985 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: How do I fix CVE-2024-53985?

1. Update Gemfile to specify 'gem "rails-html-sanitizer", ">= 1.6.1"'. 2. Run 'bundle update rails-html-sanitizer'. 3. Restart your Rails application server.

Q: What is the severity of CVE-2024-53985?

CVE-2024-53985 has a CVSS score of 6.1 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in rails-html-sanitizer when used with specific configurations in Rails applications. Attackers can inject malicious content if HTML5 sanitization is enabled and developers have overridden allowed tags to include both 'math' and 'style' elements or both 'svg' and 'style' elements. Affected users are those running Rails >= 7.1.0 with vulnerable versions of rails-html-sanitizer and Nokogiri.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in rails-html-sanitizer when used with specific configurations in Rails applications. Attackers can inject malicious content if HTML5 sanitization is enabled and developers have overridden allowed tags to include both 'math' and 'style' elements or both 'svg' and 'style' elements. Affected users are those running Rails >= 7.1.0 with vulnerable versions of rails-html-sanitizer and Nokogiri.

💻 Affected Systems

Products:

rails-html-sanitizer
Ruby on Rails

Versions: rails-html-sanitizer 1.6.0 with Rails >= 7.1.0 and (Nokogiri < 1.15.7 or 1.16.x < 1.16.8)

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when HTML5 sanitization is enabled AND developers have overridden allowed tags to include specific combinations ('math' and 'style' or 'svg' and 'style').

📦 What is this software?

Rails Html Sanitizers by Rubyonrails

View all CVEs affecting Rails Html Sanitizers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful exploitation could allow attackers to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, account takeover, or data theft.

🟠

Likely Case

Attackers inject malicious scripts that steal session cookies or perform actions on behalf of authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited even if the vulnerability exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific configuration conditions and user interaction (victim visiting malicious page).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: rails-html-sanitizer 1.6.1

Vendor Advisory: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'gem "rails-html-sanitizer", ">= 1.6.1"'. 2. Run 'bundle update rails-html-sanitizer'. 3. Restart your Rails application server.

🔧 Temporary Workarounds

Remove vulnerable tag combinations

all

Remove 'math' and 'style' or 'svg' and 'style' combinations from custom allowed tags configurations.

# Review and modify sanitizer configurations to remove vulnerable tag combinations

Disable HTML5 sanitization

all

Switch to HTML4 sanitization if HTML5 features are not required.

# Set Rails::HTML::Sanitizer.sanitizer_vendor = :html4 in configuration

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Add additional input validation and output encoding layers

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock for 'rails-html-sanitizer (1.6.0)' and verify Rails version >= 7.1.0 and Nokogiri version < 1.15.7 or 1.16.x < 1.16.8.

Check Version:

bundle list | grep rails-html-sanitizer

Verify Fix Applied:

Verify Gemfile.lock shows 'rails-html-sanitizer (1.6.1)' or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML content containing 'math', 'svg', and 'style' elements in user inputs

Network Indicators:

HTTP requests with suspicious HTML payloads

SIEM Query:

source="application.log" AND "rails-html-sanitizer" AND ("math" OR "svg") AND "style"

📊 Metadata

CVE ID: CVE-2024-53985

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: December 2, 2024

Last Updated: August 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53985, you might also want to check these: