Skip to content

Resolve CVEs#32

Merged
djordjelacmanovic merged 4 commits intomasterfrom
chore/1119-resolve-cves
Sep 11, 2025
Merged

Resolve CVEs#32
djordjelacmanovic merged 4 commits intomasterfrom
chore/1119-resolve-cves

Conversation

@djordjelacmanovic
Copy link
Contributor

@djordjelacmanovic djordjelacmanovic commented Jul 27, 2025

Resolve

CVEs/dependabot alerts 

Name: actionview
Version: 6.1.4.1
CVE: CVE-2022-27777
GHSA: GHSA-ch3h-j2vf-95pv
Criticality: Medium
URL: https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
Title: Possible XSS Vulnerability in Action View tag helpers
Solution: upgrade to '~> 5.2.7, >= 5.2.7.1', '~> 6.0.4, >= 6.0.4.8', '~> 6.1.5, >= 6.1.5.1', '>= 7.0.2.4'

Name: actionview
Version: 6.1.4.1
CVE: CVE-2023-23913
GHSA: GHSA-xp5h-f8jf-rc8q
Criticality: High
URL: https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
Title: DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements
Solution: upgrade to '~> 6.1.7.3', '>= 7.0.4.3'

Name: activerecord
Version: 6.1.4.1
CVE: CVE-2022-32224
GHSA: GHSA-3hhc-qp5v-9p2j
Criticality: Critical
URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
Title: Possible RCE escalation bug with Serialized Columns in Active Record
Solution: upgrade to '~> 5.2.8, >= 5.2.8.1', '~> 6.0.5, >= 6.0.5.1', '~> 6.1.6, >= 6.1.6.1', '>= 7.0.3.1'

Name: activerecord
Version: 6.1.4.1
CVE: CVE-2022-44566
GHSA: GHSA-579w-22j4-4749
Criticality: High
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Solution: upgrade to '~> 5.2.8', '~> 6.1.7, >= 6.1.7.1', '>= 7.0.4.1'

Name: activerecord
Version: 6.1.4.1
CVE: CVE-2023-22794
GHSA: GHSA-hq7p-j377-6v63
Criticality: High
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: SQL Injection Vulnerability via ActiveRecord comments
Solution: upgrade to '~> 6.0.6, >= 6.0.6.1', '~> 6.1.7, >= 6.1.7.1', '>= 7.0.4.1'

Name: activesupport
Version: 6.1.4.1
CVE: CVE-2023-22796
GHSA: GHSA-j6gc-792m-qgm2
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: ReDoS based DoS vulnerability in Active Support’s underscore
Solution: upgrade to '~> 5.2.8', '~> 6.1.7, >= 6.1.7.1', '>= 7.0.4.1'

Name: activesupport
Version: 6.1.4.1
CVE: CVE-2023-28120
GHSA: GHSA-pj73-v5mw-pm9j
Criticality: Medium
URL: https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
Title: Possible XSS Security Vulnerability in SafeBuffer#bytesplice
Solution: upgrade to '~> 6.1.7, >= 6.1.7.3', '>= 7.0.4.3'

Name: activesupport
Version: 6.1.4.1
CVE: CVE-2023-38037
GHSA: GHSA-cr5q-6q9f-rq6q
Criticality: Medium
URL: https://github.com/rails/rails/releases/tag/v7.0.7.1
Title: Possible File Disclosure of Locally Encrypted Files
Solution: upgrade to '~> 6.1.7, >= 6.1.7.5', '>= 7.0.7.1'

Name: loofah
Version: 2.12.0
CVE: CVE-2022-23514
GHSA: GHSA-486f-hjj9-9vhh
Criticality: High
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
Title: Inefficient Regular Expression Complexity in Loofah
Solution: upgrade to '>= 2.19.1'

Name: loofah
Version: 2.12.0
CVE: CVE-2022-23515
GHSA: GHSA-228g-948r-83gx
Criticality: Medium
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
Title: Improper neutralization of data URIs may allow XSS in Loofah
Solution: upgrade to '>= 2.19.1'

Name: loofah
Version: 2.12.0
CVE: CVE-2022-23516
GHSA: GHSA-3x8r-x6xp-q4vm
Criticality: High
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
Title: Uncontrolled Recursion in Loofah
Solution: upgrade to '>= 2.19.1'

Name: nokogiri
Version: 1.12.5
CVE: CVE-2018-25032
GHSA: GHSA-v6gp-9mmm-c6p5
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Title: Out-of-bounds Write in zlib affects Nokogiri
Solution: upgrade to '>= 1.13.4'

Name: nokogiri
Version: 1.12.5
CVE: CVE-2021-30560
GHSA: GHSA-fq42-c5rg-92c2
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Solution: upgrade to '>= 1.13.2'

Name: nokogiri
Version: 1.12.5
CVE: CVE-2022-23437
GHSA: GHSA-xxx9-3xcr-gjj3
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Title: XML Injection in Xerces Java affects Nokogiri
Solution: upgrade to '>= 1.13.4'

Name: nokogiri
Version: 1.12.5
CVE: CVE-2022-24836
GHSA: GHSA-crjr-9rc5-ghw8
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Title: Inefficient Regular Expression Complexity in Nokogiri
Solution: upgrade to '>= 1.13.4'

Name: nokogiri
Version: 1.12.5
CVE: CVE-2022-24839
GHSA: GHSA-gx8x-g87m-h5q6
Criticality: High
URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Title: Denial of Service (DoS) in Nokogiri on JRuby
Solution: upgrade to '>= 1.13.4'

Name: nokogiri
Version: 1.12.5
CVE: CVE-2022-29181
GHSA: GHSA-xh29-r2w5-wx8m
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
Title: Improper Handling of Unexpected Data Type in Nokogiri
Solution: upgrade to '>= 1.13.6'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-2qc6-mcvw-92cw
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
Title: Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Solution: upgrade to '>= 1.13.9'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-353f-x4gh-cqq8
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8
Title: Nokogiri patches vendored libxml2 to resolve multiple CVEs
Solution: upgrade to '>= 1.18.9'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-5w6v-399v-w3cc
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
Title: Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
Solution: upgrade to '>= 1.18.8'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-cgx6-hpwq-fhv5
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5
Title: Integer Overflow or Wraparound in libxml2 affects Nokogiri
Solution: upgrade to '>= 1.13.5'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-mrxw-mxhj-p664
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664
Title: Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs
Solution: upgrade to '>= 1.18.4'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-pxvg-2qj5-37jq
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq
Title: Update packaged libxml2 to v2.10.4 to resolve multiple CVEs
Solution: upgrade to '>= 1.14.3'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-r95h-9x8f-r3f7
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7
Title: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
Solution: upgrade to '>= 1.16.5'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-vvfq-8hwr-qm4m
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
Title: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
Solution: upgrade to '>= 1.18.3'

Name: nokogiri
Version: 1.12.5
GHSA: GHSA-xc9x-jj77-9p9j
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
Title: Use-after-free in libxml2 via Nokogiri::XML::Reader
Solution: upgrade to '~> 1.15.6', '>= 1.16.2'

Name: rails-html-sanitizer
Version: 1.4.2
CVE: CVE-2022-23517
GHSA: GHSA-5x79-w82f-gw8w
Criticality: High
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
Title: Inefficient Regular Expression Complexity in rails-html-sanitizer
Solution: upgrade to '>= 1.4.4'

Name: rails-html-sanitizer
Version: 1.4.2
CVE: CVE-2022-23518
GHSA: GHSA-mcvf-2q2m-x72m
Criticality: Medium
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
Title: Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Solution: upgrade to '>= 1.4.4'

Name: rails-html-sanitizer
Version: 1.4.2
CVE: CVE-2022-23519
GHSA: GHSA-9h9g-93gc-623h
Criticality: Medium
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
Title: Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Solution: upgrade to '>= 1.4.4'

Name: rails-html-sanitizer
Version: 1.4.2
CVE: CVE-2022-23520
GHSA: GHSA-rrfc-7g8p-99q8
Criticality: Medium
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
Title: Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Solution: upgrade to '>= 1.4.4'

Name: rails-html-sanitizer
Version: 1.4.2
CVE: CVE-2022-32209
GHSA: GHSA-pg8v-g4xq-hww9
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
Title: Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Solution: upgrade to '>= 1.4.3'

Name: rexml
Version: 3.2.5
CVE: CVE-2024-35176
GHSA: GHSA-vg3r-rm7w-2xgh
Criticality: Medium
URL: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
Title: REXML contains a denial of service vulnerability
Solution: upgrade to '>= 3.2.7'

Name: rexml
Version: 3.2.5
CVE: CVE-2024-39908
GHSA: GHSA-4xqq-m2hx-25v8
Criticality: Medium
URL: https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
Title: DoS in REXML
Solution: upgrade to '>= 3.3.2'

Name: rexml
Version: 3.2.5
CVE: CVE-2024-41123
GHSA: GHSA-r55c-59qm-vjw6
Criticality: Medium
URL: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123
Title: DoS vulnerabilities in REXML
Solution: upgrade to '>= 3.3.3'

Name: rexml
Version: 3.2.5
CVE: CVE-2024-41946
GHSA: GHSA-5866-49gr-22v4
Criticality: Medium
URL: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
Title: DoS vulnerabilities in REXML
Solution: upgrade to '>= 3.3.3'

Name: rexml
Version: 3.2.5
CVE: CVE-2024-43398
GHSA: GHSA-vmwr-mc7x-5vc3
Criticality: Medium
URL: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
Title: REXML denial of service vulnerability
Solution: upgrade to '>= 3.3.6'

Name: rexml
Version: 3.2.5
CVE: CVE-2024-49761
GHSA: GHSA-2rxp-v6pw-ch6m
Criticality: High
URL: https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
Title: REXML ReDoS vulnerability
Solution: upgrade to '>= 3.3.9'

Name: thor
Version: 1.1.0
CVE: CVE-2025-54314
GHSA: GHSA-mqcp-p2hv-vw6x
Criticality: Low
URL: https://github.com/advisories/GHSA-mqcp-p2hv-vw6x
Title: Thor can construct an unsafe shell command from library input.
Solution: upgrade to '>= 1.4.0'

@djordjelacmanovic djordjelacmanovic self-assigned this Jul 27, 2025
@djordjelacmanovic
Run CI on ubuntu-latest
5e72502 
Set Ruby matrix versions as strings
Setting 3.0 as float sets up latest Ruby 3.x
@djordjelacmanovic
Drop Ruby < 3.2 and Rails < 7.2 support
2f96a50 
Update standardb and resolve lint issues
lovro-bikic
lovro-bikic reviewed Sep 10, 2025
View reviewed changes
@djordjelacmanovic djordjelacmanovic merged commit 6a3d680 into master Sep 11, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lovro-bikic lovro-bikic lovro-bikic approved these changes

@nikajukic nikajukic Awaiting requested review from nikajukic

@uncoverd uncoverd Awaiting requested review from uncoverd

@vr4b4c vr4b4c Awaiting requested review from vr4b4c

Assignees

@djordjelacmanovic djordjelacmanovic

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@djordjelacmanovic @lovro-bikic