GHSA-76R7-HHXJ-R776
Vulnerability from github – Published: 2025-08-13 22:32 – Updated: 2025-08-21 21:36
VLAI?
Summary
Active Record logging vulnerable to ANSI escape injection
Details
This vulnerability has been assigned the CVE identifier CVE-2025-55193
Impact
The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.
Releases
The fixed releases are available at the normal locations.
Credits
Thanks to lio346 from Unit 515 of OPSWAT for reporting this vulnerability
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activerecord"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "activerecord"
},
"ranges": [
{
"events": [
{
"introduced": "7.2"
},
{
"fixed": "7.2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "activerecord"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55193"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-13T22:32:18Z",
"nvd_published_at": "2025-08-13T23:15:26Z",
"severity": "MODERATE"
},
"details": "This vulnerability has been assigned the CVE identifier CVE-2025-55193\n\n### Impact\nThe ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.\n\n### Releases\nThe fixed releases are available at the normal locations.\n\n### Credits\n\nThanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability",
"id": "GHSA-76r7-hhxj-r776",
"modified": "2025-08-21T21:36:39Z",
"published": "2025-08-13T22:32:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55193"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2025-55193.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Active Record logging vulnerable to ANSI escape injection"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…