Skip to content

Commit 6471a8b

Browse files
authored
Merge pull request #1161 from jasnow/two-new-viewcomponent-advs
Two new view_component gem advisories @simi - Thanks for reviewing my PR.
2 parents 12baec0 + 3fa8e05 commit 6471a8b

2 files changed

Lines changed: 66 additions & 0 deletions

File tree

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
---
2+
gem: view_component
3+
cve: 2026-54497
4+
ghsa: 9h85-g7w3-rh49
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497
6+
title: Reused Component Instances Retain Stale Render Context
7+
date: 2026-06-04
8+
description: |
9+
## Summary
10+
11+
ViewComponent::Base instances retain multiple render-scoped objects
12+
across calls to render_in. If the same component, collection, or
13+
spacer component instance is reused across requests, users, tenants,
14+
or threads, later renders can use stale helpers, controller, request,
15+
view_flow, format/variant details, and slot child context from an
16+
earlier render.
17+
18+
This can cause authorization-aware components to render privileged UI
19+
for a lower-privileged user, generate links using a stale Host header,
20+
leak slot/helper state, and mix request context under concurrent rendering.
21+
cvss_v3: 6.8
22+
unaffected_versions:
23+
- "< 4.0.0"
24+
patched_versions:
25+
- ">= 4.12.0"
26+
related:
27+
url:
28+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497
29+
- https://github.com/ViewComponent/view_component/releases/tag/v4.12.0
30+
- https://github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49
31+
notes: |
32+
- cvss_v3 came from GHSA.
33+
- CVE is reserved, but not published so no non-GHSA cvss values.
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
---
2+
gem: view_component
3+
cve: 2026-54498
4+
ghsa: 97jw-64cj-jc58
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498
6+
title: around_render HTML-Safety Bypass
7+
date: 2026-06-04
8+
description: |
9+
## Summary
10+
11+
ViewComponent::Base#around_render can return HTML-unsafe strings that
12+
bypass the escaping behavior applied to normal #call return values.
13+
This creates an XSS risk when downstream applications use around_render
14+
to wrap, replace, instrument, or conditionally return content that
15+
includes user-controlled data.
16+
17+
The issue is especially dangerous in collection rendering because
18+
ViewComponent::Collection#render_in joins the per-item results and
19+
marks the entire output as html_safe, converting raw unsafe
20+
output into a trusted ActiveSupport::SafeBuffer.
21+
cvss_v3: 8.7
22+
unaffected_versions:
23+
- "< 4.0.0"
24+
patched_versions:
25+
- ">= 4.12.0"
26+
related:
27+
url:
28+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498
29+
- https://github.com/ViewComponent/view_component/releases/tag/v4.12.0
30+
- https://github.com/ViewComponent/view_component/security/advisories/GHSA-97jw-64cj-jc58
31+
notes: |
32+
- cvss_v3 came from GHSA.
33+
- CVE is reserved, but not published so no non-GHSA cvss values.

0 commit comments

Comments
 (0)