Red Hat CVE-2026-33170
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.
Releases
The fixed releases are available at the normal locations.
AnalysisAI
SafeBuffer's string formatting operator (%) in Ruby fails to preserve HTML safety flags when processing untrusted input, allowing attackers to inject malicious scripts that bypass ERB auto-escaping protections. An attacker can exploit this by providing crafted arguments to the % operator on a mutated SafeBuffer, causing the resulting string to be incorrectly marked as safe and potentially leading to cross-site scripting (XSS) attacks. A patch is available for affected applications.
Technical ContextAI
ActiveSupport's SafeBuffer class (pkg:rubygems/activesupport) implements HTML safety tracking via an @html_unsafe flag to prevent XSS in ERB templating. When a SafeBuffer is mutated in-place via methods like gsub!, the modified buffer retains its safe status. However, when the % formatting operator is subsequently used with untrusted user arguments, it creates a new buffer object without properly copying the @html_unsafe flag from the parent. This is a type confusion issue classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause is insufficient state propagation in string formatting operations on marked-safe objects, violating the principle that any buffer containing user input should not be implicitly trusted.
RemediationAI
Immediately upgrade ActiveSupport to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or later depending on your Rails version. These patched releases are available from the standard RubyGems repository and can be installed via bundle update activesupport. The fixes are applied in commits 50d732af3b7c8aaf63cbcca0becbc00279b215b7, 6e8a81108001d58043de9e54a06fca58962fc2db, and c1ad0e8e1972032f3395853a5e99cea035035beb, which properly propagate the @html_unsafe flag during string formatting operations. As an interim compensating control, audit templates that perform in-place mutations (gsub!, sub!, etc.) on SafeBuffer objects followed by % formatting and consider refactoring to avoid such patterns, though patching is the definitive solution.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP1 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP2 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP3 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today