CVE-2026-44837: view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

May 8, 2026

The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix.

Severity: Medium; test-route scoped.

Example:

Allowed base:  /app/tmp/view_components
Outside path:  /app/tmp/view_components_evil/secret.html.erb

The outside path is not inside the base directory, but it passes:

@path.start_with?(base_path)

References

github.com/ViewComponent/view_component
github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp
github.com/advisories/GHSA-hg3h-g7xc-f7vp
nvd.nist.gov/vuln/detail/CVE-2026-44837

Code Behaviors & Features

Detect and mitigate CVE-2026-44837 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →