// For flags

CVE-2025-55193

Active Record logging vulnerable to ANSI escape injection

Severity Score

2.7
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

Active Record conecta clases con tablas de bases de datos relacionales. En versiones anteriores a la 7.1.5.2, 7.2.2.2 y 8.0.2.1, el ID pasado a métodos "find" o similares podía registrarse sin escape. Si se envía directamente a la terminal, puede incluir secuencias ANSI sin escape. Este problema se ha corregido en las versiones 7.1.5.2, 7.2.2.2 y 8.0.2.1.

Multiple security issues were discovered in the Rails web framework which could result in command injection or logging of unescaped ANSI sequences. For the oldstable distribution (bookworm), these problems have been fixed in version 2:6.1.7.10+dfsg-1~deb12u2. For the stable distribution (trixie), these problems have been fixed in version 2:7.2.2.2+dfsg-2~deb13u1.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
None
None
Integrity
None
Low
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-08-08 CVE Reserved
  • 2025-08-13 CVE Published
  • 2025-08-14 CVE Updated
  • 2026-03-19 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rails
Search vendor "Rails"
 Rails
Search vendor "Rails" for product "Rails"
 < 7.1.5.2
Search vendor "Rails" for product "Rails" and version " < 7.1.5.2"
en
Affected
Rails
Search vendor "Rails"
 Rails
Search vendor "Rails" for product "Rails"
 >= 7.2.0.0 < 7.2.2.2
Search vendor "Rails" for product "Rails" and version " >= 7.2.0.0 < 7.2.2.2"
en
Affected
Rails
Search vendor "Rails"
 Rails
Search vendor "Rails" for product "Rails"
 >= 8.0.0.0 < 8.0.2.1
Search vendor "Rails" for product "Rails" and version " >= 8.0.0.0 < 8.0.2.1"
en
Affected