CVE-2024-26143 Overview
CVE-2024-26143 is a Cross-Site Scripting (XSS) vulnerability affecting Ruby on Rails applications that use translation helpers in Action Controller. The vulnerability occurs when applications use translation methods like translate or t on a controller with a key ending in _html, combined with a :default key containing untrusted user input, and the resulting string is rendered in a view.
Critical Impact
Attackers can inject malicious scripts into web pages viewed by other users, potentially stealing session cookies, credentials, or performing actions on behalf of authenticated users.
Affected Products
- Ruby on Rails versions prior to 7.1.3.1
- Ruby on Rails versions prior to 7.0.8.1
- Applications using translate or t helpers with _html suffix keys and user-controlled :default values
Discovery Timeline
- 2024-02-27 - CVE-2024-26143 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2024-26143
Vulnerability Analysis
This Cross-Site Scripting vulnerability resides in the ActionPack component of Ruby on Rails, specifically within the translation helper methods used in controllers. Rails provides internationalization (i18n) support through helper methods like translate and its alias t. When a translation key ends with _html, Rails typically marks the output as HTML-safe, trusting that the translated content is properly sanitized.
The vulnerability arises from a flaw in how the :default parameter is handled. When a translation key is not found and the :default fallback value is used, the HTML-safe marking is incorrectly applied to user-supplied input. This means that if an attacker can control the :default parameter value, they can inject arbitrary JavaScript or HTML that will be rendered without escaping in the application's views.
Root Cause
The root cause is improper input sanitization in the translation helper's handling of the :default fallback mechanism. When using translation keys ending in _html, Rails assumes all content should be marked as HTML-safe. However, the framework failed to properly sanitize or escape the :default parameter before marking it as safe, allowing untrusted user input to bypass Rails' built-in XSS protections.
Attack Vector
The attack requires a network-based approach where an attacker crafts malicious input that gets processed through the translation helper's :default parameter. The attack flow follows this pattern:
- The attacker identifies a Rails application using translation helpers with _html suffix keys
- The attacker provides malicious JavaScript or HTML content through a user-controllable input that maps to the :default parameter
- When the translation key lookup fails, the malicious :default value is used and marked as HTML-safe
- The unescaped malicious content is rendered in the view, executing in the victim's browser
The vulnerability requires user interaction (a victim must visit a page containing the malicious payload). The impact includes potential theft of session tokens, credential harvesting, defacement, or performing unauthorized actions on behalf of authenticated users.
Detection Methods for CVE-2024-26143
Indicators of Compromise
- Unusual translate or t method calls in controller logs with HTML/JavaScript content in parameters
- Unexpected HTML tags or script elements appearing in application output where translation fallbacks are used
- Web application firewall (WAF) alerts for XSS patterns in request parameters that map to translation defaults
Detection Strategies
- Review application code for uses of translate or t methods with keys ending in _html that accept user-controlled :default values
- Implement static application security testing (SAST) rules to flag vulnerable translation helper patterns in Rails controllers
- Monitor web server logs for suspicious payloads containing script tags or event handlers in parameters
Monitoring Recommendations
- Enable detailed logging for Rails i18n translation lookups and fallback usage
- Deploy a Content Security Policy (CSP) to limit the impact of any successful XSS attacks
- Implement runtime application self-protection (RASP) to detect and block XSS payload execution
How to Mitigate CVE-2024-26143
Immediate Actions Required
- Upgrade Ruby on Rails to version 7.1.3.1 or 7.0.8.1 or later immediately
- Audit all controller code for translation helper usage with _html suffix keys and user-supplied :default values
- Implement input validation and sanitization for any user-controlled data passed to translation helpers
- Consider temporarily removing or escaping user-controllable :default parameters until patches are applied
Patch Information
The Ruby on Rails team has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Rails 7.1.x: Upgrade to 7.1.3.1 or later
- Rails 7.0.x: Upgrade to 7.0.8.1 or later
Patch commits are available in the Rails GitHub repository. Additional details can be found in the GitHub Security Advisory and the Ruby on Rails Discussion.
Workarounds
- Manually escape all user-supplied :default values using html_escape or h helper before passing to translation methods
- Avoid using translation keys ending in _html when the :default parameter may contain user input
- Implement application-level input sanitization for all user-controllable parameters used in i18n lookups
- Use a Web Application Firewall (WAF) rule to filter known XSS patterns in request parameters
# Workaround: Manually escape user input in translation defaults
# Instead of:
# t('missing_key_html', default: user_input)
# Use:
t('missing_key_html', default: h(user_input))
# Or sanitize before use:
sanitized_default = ERB::Util.html_escape(user_input)
t('missing_key_html', default: sanitized_default)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
