{"id":"CVE-2024-54133","summary":"Possible Content Security Policy bypass in Action Dispatch","details":"Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.","aliases":["BIT-rails-2024-54133","GHSA-vfm5-rmrh-j26v"],"modified":"2026-04-10T05:18:28.778450Z","published":"2024-12-10T22:52:04.633Z","related":["openSUSE-SU-2025:14668-1","openSUSE-SU-2025:14669-1","openSUSE-SU-2025:14670-1","openSUSE-SU-2025:14671-1","openSUSE-SU-2025:14672-1","openSUSE-SU-2025:14673-1","openSUSE-SU-2025:14674-1","openSUSE-SU-2025:14675-1","openSUSE-SU-2025:14676-1","openSUSE-SU-2025:14677-1","openSUSE-SU-2025:14678-1","openSUSE-SU-2025:14679-1","openSUSE-SU-2025:14680-1","openSUSE-SU-2026:10335-1","openSUSE-SU-2026:10336-1","openSUSE-SU-2026:10337-1","openSUSE-SU-2026:10338-1","openSUSE-SU-2026:10339-1","openSUSE-SU-2026:10340-1","openSUSE-SU-2026:10341-1","openSUSE-SU-2026:10342-1","openSUSE-SU-2026:10343-1","openSUSE-SU-2026:10344-1","openSUSE-SU-2026:10345-1","openSUSE-SU-2026:10360-1","openSUSE-SU-2026:10362-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54133.json","cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54133.json"},{"type":"ADVISORY","url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250306-0010/"},{"type":"FIX","url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"},{"type":"FIX","url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"},{"type":"FIX","url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"},{"type":"FIX","url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"375a4143cf5caeb6159b338be824903edfd62836"},{"fixed":"778eab826538be6da355d848aecaea2245e3b8ce"}],"database_specific":{"versions":[{"introduced":"5.2.0"},{"fixed":"7.0.8.7"}]}},{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"d39db5d1891f7509cde2efc425c9d69bbb77e670"},{"fixed":"14c115b120ed089331ff3dc13f36bd9129ced33d"}],"database_specific":{"versions":[{"introduced":"7.1.0"},{"fixed":"7.1.5.1"}]}},{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"fb6c4305939da06efdf2893d99130e7829c53e8b"},{"fixed":"33beb0a38db1c058123a8e3cc298cad918adfe32"}],"database_specific":{"versions":[{"introduced":"7.2.0"},{"fixed":"7.2.2.1"}]}},{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"dd8f7185faeca6ee968a6e9367f6d8601a83b8db"},{"fixed":"a993c27a50395e727872600b5669976ff0a272e7"}],"database_specific":{"versions":[{"introduced":"8.0.0"},{"fixed":"8.0.0.1"}]}}],"versions":["v7.1.0","v7.1.1","v7.1.2","v7.1.3","v7.1.4","v7.1.5","v8.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54133.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}