Providing security resources for the Ruby community

CVE-2020-8159 (actionpack-page_caching): Arbitrary file write/potential remote code execution in actionpack-page_caching





  • >= 1.2.1


There is a vulnerability in the actionpack-page_caching gem that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

Versions Affected: All versions of actionpack-page_caching (part of Rails prior to Rails 4.0) Not affected: Applications not using actionpack-page_caching Fixed Versions: actionpack-page_caching >= 1.2.1


The Action Pack Page Caching gem writes cache files to the file system in order for the front end webserver (nginx, Apache, etc) to serve the cached file without making a request to the application server. Paths contain what is effectively user input can be used to manipulate the location of the cache file.

For example “/users/123” could be changed to “/users/../../../foo” and this will escape the cache directory. Attackers can use this technique to springboard to an RCE if they can write arbitrary ERb to a view folder.

Impacted code looks like this:

class BooksController < ApplicationController
  caches_page :show

Where the show action of the BooksController may be vulnerable.