{"id":"CVE-2023-22797","details":"An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.","aliases":["GHSA-9445-4cr6-336r"],"modified":"2026-04-10T04:55:29.029307Z","published":"2023-02-09T20:15:11.550Z","related":["openSUSE-SU-2024:12765-1","openSUSE-SU-2024:14067-1","openSUSE-SU-2025:15110-1"],"references":[{"type":"WEB","url":"https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"984c3ef2775781d47efa9f541ce570daa2434a80"},{"fixed":"23e0345fe900dfd7edd6e8e5a7a6bd54b2a7d2ed"},{"introduced":"984c3ef2775781d47efa9f541ce570daa2434a80"},{"fixed":"23e0345fe900dfd7edd6e8e5a7a6bd54b2a7d2ed"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"fixed":"7.0.4.1"},{"introduced":"7.0.0"},{"fixed":"7.0.4.1"}]}}],"versions":["v7.0.0","v7.0.1","v7.0.2","v7.0.3","v7.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22797.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}