CVE-2008-5189: rails is vulnerable to CRLF injection

October 24, 2017 (updated April 9, 2025)

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

References

github.com/advisories/GHSA-jmgf-p46x-982h
github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml
nvd.nist.gov/vuln/detail/CVE-2008-5189

Code Behaviors & Features

Detect and mitigate CVE-2008-5189 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →