Skip to content

ANSI escape injection in Active Record logging

Low
jhawthorn published GHSA-76r7-hhxj-r776 Aug 13, 2025

Package

bundler activerecord (RubyGems)

Affected versions

>= 8.0, < 8.0.2.1
>= 7.2, < 7.2.2.2
>= 0, < 7.1.5.2

Patched versions

8.0.2.1
7.2.2.2
7.1.5.2

Description

This vulnerability has been assigned the CVE identifier CVE-2025-55193

Impact

The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

Releases

The fixed releases are available at the normal locations.

Credits

Thanks to lio346 for reporting this vulnerability

Severity

Low

CVE ID

CVE-2025-55193

Weaknesses

Improper Neutralization of Escape, Meta, or Control Sequences

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. Learn more on MITRE.