CVE CyberSecurity Database News

CVE-2024-26143 - XSS Vulnerability in Rails Translation Helpers – How It Works, Example Exploit, and Patch Guidance

Poster -

If you’re running a Ruby on Rails app and using translation helpers like t or translate, you may be sitting on an unnoticed security flaw. CVE-2024-26143 exposes a potential XSS (Cross-Site Scripting) vulnerability in how Rails processes certain HTML translation keys. Here’s a clear, detailed breakdown of the issue—including a code example, links to references, and steps to patch your app.

What Is CVE-2024-26143?

Rails translation helpers (t, translate) let you internationalize your app content. They offer a shortcut to display user-facing text based on I18n keys.

All versions before 7..8.1 (7. branch)

If you’re using 7.1.3.1 or newer, or 7..8.1 or newer, you’re protected.

Suppose you have a controller like this

class WelcomeController < ApplicationController
  def index
    search = params[:search]         # User input from query string
    @greeting = t(
      "welcome_message_html",
      default: search                # Default value comes from the user!
    )
  end
end

In your locale YAML, imagine the key isn’t set

en:
  # welcome_message_html: "Hello user"

In your view

<%= @greeting %>

If a malicious user visits

/?search=<script>alert('XSS')</script>

Then @greeting will be set to the unfiltered user input: <script>alert('XSS')</script>, which will run JavaScript in users’ browsers.

Run:

bundle update rails

Or specify the patched version in your Gemfile

gem "rails", ">= 7.1.3.1"   # Or 7..8.1 for Rails 7. users

2. Check Your Code For Dangerous Uses

Search for any uses of t(..., default: ...) or translate(..., default: ...) where the default comes from user input.

DON’T do this

t("something_html", default: params[:userinput])

Sanitize user input, or better yet, don’t use the _html key suffix unless you absolutely control and verify the value.

3. Always Escape Output in Views

Even with translations, use &lt;%= h @greeting %&gt; instead of <%= @greeting %> if you aren’t sure whether the value is safe.

Official References

- CVE Entry on NVD
- Rails Security Announcement
- Rails GitHub Commit (Patch)

Here’s a minimal controller and view combo that is vulnerable

# app/controllers/pages_controller.rb
class PagesController < ApplicationController
  def show
    @data = t("some_missing_html_key", default: params[:evil])
  end
end

<!-- app/views/pages/show.html.erb -->
<%= @data %>

Attack by visiting

/pages/show?evil=<img src="x" onerror="alert('xss')">

Conclusion

CVE-2024-26143 reminds us never to pass untrusted data to helpers designed to return HTML. Always keep your Rails framework up to date, audit your usage of translation helpers, and escape output if you have any doubts.

Check your code today and get patched—before attackers check for you.

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 02/29/2024 01:44:18 UTC