CVE-2024-53987 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2024-53987?

CVE-2024-53987 has a CVSS score of 6.1 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in rails-html-sanitizer 1.6.0 when used with Rails >= 7.1.0. It allows attackers to inject malicious content if HTML5 sanitization is enabled and developers have overridden allowed tags to include 'style' but exclude 'svg' or 'math'. Applications using these specific configurations are affected.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in rails-html-sanitizer 1.6.0 when used with Rails >= 7.1.0. It allows attackers to inject malicious content if HTML5 sanitization is enabled and developers have overridden allowed tags to include 'style' but exclude 'svg' or 'math'. Applications using these specific configurations are affected.

💻 Affected Systems

Products:

rails-html-sanitizer
Ruby on Rails

Versions: rails-html-sanitizer 1.6.0 with Rails >= 7.1.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when HTML5 sanitization is enabled AND developers have overridden allowed tags to include 'style' but exclude 'svg' or 'math' elements.

📦 What is this software?

Rails Html Sanitizers by Rubyonrails

View all CVEs affecting Rails Html Sanitizers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the user, or defacing websites.

🟠

Likely Case

Limited XSS attacks affecting users who view malicious content, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

No impact if proper input validation and output encoding are already implemented, or if the vulnerable configuration isn't used.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific application configuration and user interaction to view malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.1

Vendor Advisory: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'rails-html-sanitizer', '>= 1.6.1'. 2. Run 'bundle update rails-html-sanitizer'. 3. Restart your Rails application server.

🔧 Temporary Workarounds

Disable HTML5 sanitization

all

Switch to using the older HTML4 sanitizer instead of HTML5 sanitizer

In Rails configuration: config.action_view.sanitizer_vendor = Rails::HTML4::Sanitizer

Modify allowed tags configuration

all

Ensure 'svg' and 'math' elements are allowed if 'style' element is allowed

Update sanitizer configuration to include both 'style' and 'svg'/'math' in allowed tags

🧯 If You Can't Patch

Implement additional output encoding for user-controlled content
Review and audit all custom sanitizer configurations to ensure they don't match the vulnerable pattern

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock for 'rails-html-sanitizer (1.6.0)' and ensure Rails version is >= 7.1.0. Also verify if custom sanitizer configurations match the vulnerable pattern.

Check Version:

bundle show rails-html-sanitizer

Verify Fix Applied:

Verify Gemfile.lock shows 'rails-html-sanitizer (1.6.1)' or higher

📡 Detection & Monitoring

Log Indicators:

Unusual HTML content containing style elements with suspicious attributes
Multiple requests with encoded payloads

Network Indicators:

HTTP requests containing suspicious HTML fragments with style attributes

SIEM Query:

source="rails_app" AND (message="*style*" OR message="*sanitize*")

📊 Metadata

CVE ID: CVE-2024-53987

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: December 2, 2024

Last Updated: August 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53987, you might also want to check these: