{"id":"CVE-2024-54133","summary":"Possible Content Security Policy bypass in Action Dispatch","details":"Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.","aliases":["GHSA-vfm5-rmrh-j26v"],"modified":"2026-04-09T12:01:21.857361Z","published":"2024-12-10T22:52:04.633Z","related":["openSUSE-SU-2025:14668-1","openSUSE-SU-2025:14669-1","openSUSE-SU-2025:14670-1","openSUSE-SU-2025:14671-1","openSUSE-SU-2025:14672-1","openSUSE-SU-2025:14673-1","openSUSE-SU-2025:14674-1","openSUSE-SU-2025:14675-1","openSUSE-SU-2025:14676-1","openSUSE-SU-2025:14677-1","openSUSE-SU-2025:14678-1","openSUSE-SU-2025:14679-1","openSUSE-SU-2025:14680-1","openSUSE-SU-2026:10335-1","openSUSE-SU-2026:10336-1","openSUSE-SU-2026:10337-1","openSUSE-SU-2026:10338-1","openSUSE-SU-2026:10339-1","openSUSE-SU-2026:10340-1","openSUSE-SU-2026:10341-1","openSUSE-SU-2026:10342-1","openSUSE-SU-2026:10343-1","openSUSE-SU-2026:10344-1","openSUSE-SU-2026:10345-1","openSUSE-SU-2026:10360-1","openSUSE-SU-2026:10362-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54133.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54133.json"},{"type":"ADVISORY","url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250306-0010/"},{"type":"FIX","url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"},{"type":"FIX","url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"},{"type":"FIX","url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"},{"type":"FIX","url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"0"},{"fixed":"2e3f41e4538b9ca1044357f6644f037bbb7c6c49"}]},{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"0"},{"fixed":"3da2479cfe1e00177114b17e496213c40d286b3a"}]},{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"0"},{"fixed":"5558e72f22fc69c1c407b31ac5fb3b4ce087b542"}]},{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"0"},{"fixed":"cb16a3bb515b5d769f73926d9757270ace691f1d"}]}],"versions":["v0.10.0","v0.10.1","v0.11.0","v0.11.1","v0.12.0","v0.13.0","v0.13.1","v0.14.1","v0.14.3","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.4.1","v0.9.5","v1.1.0","v1.1.0_RC1","v1.1.1","v2.0.0","v2.0.0_PR","v2.0.0_RC1","v2.0.0_RC2","v2.0.1","v3.0.0.beta.3","v3.0.0.beta3","v3.1.0.beta1","v3.1.0.rc1","v3.2.0.rc1","v4.0.0.beta1","v4.0.0.rc1","v4.2.0.beta1","v5.0.0.beta1","v5.0.0.beta2","v5.0.0.beta4","v5.1.0.beta1","v6.0.0.beta1","v6.0.0.beta2","v6.1.0.rc1","v7.0.0","v7.0.0.alpha1","v7.0.0.alpha2","v7.0.0.rc1","v7.0.1","v7.0.2","v7.0.3","v7.0.4","v7.0.5","v7.0.6","v7.0.7","v7.0.8","v7.0.8.1","v7.0.8.2","v7.0.8.3","v7.0.8.4","v7.0.8.5","v7.0.8.6","v7.1.0","v7.1.0.beta1","v7.1.0.rc1","v7.1.0.rc2","v7.1.1","v7.1.2","v7.1.3","v7.1.4","v7.1.5","v7.2.0.beta1","v7.2.0.beta2","v7.2.0.beta3","v7.2.0.rc1","v7.2.1","v7.2.2","v8.0.0","v8.0.0.beta1","v8.0.0.rc1","v8.0.0.rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-54133.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}