CVE-2022-22577 in Action Pack
Summary
by MITRE • 05/26/2022
An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/01/2026
The vulnerability identified as CVE-2022-22577 represents a cross-site scripting flaw within the Action Pack framework version 5.2.0 and earlier releases. This issue specifically affects applications utilizing the ruby on rails framework where the vulnerability manifests in the handling of non-html responses, creating a significant security risk for web applications that rely on this framework for their backend operations. The flaw exists in the way Action Pack processes certain HTTP responses that do not contain traditional html content, potentially allowing malicious actors to circumvent content security policies that are typically enforced for html content.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the Action Pack component. When applications process requests that result in non-html responses such as json, xml, or other data formats, the framework fails to properly sanitize user-controllable data that may be included in these responses. This oversight creates an opportunity for attackers to inject malicious scripts that can execute in the context of the victim's browser when these responses are consumed by web applications. The vulnerability operates at the application layer and specifically targets the framework's response handling mechanisms rather than network-level protocols, making it particularly dangerous for applications that use rails for api endpoints or data exchange interfaces.
The operational impact of this vulnerability extends beyond typical XSS scenarios due to its ability to bypass content security policies that are normally effective against html content. In environments where CSP headers are properly configured to restrict script execution, attackers can leverage this flaw to inject malicious code that operates outside the normal security boundaries. This bypass capability means that even applications with robust CSP implementations may still be vulnerable to attacks that exploit this specific flaw in Action Pack's response handling. The vulnerability affects applications that process user input through the rails framework and return non-html responses, potentially compromising user sessions, stealing sensitive data, or redirecting users to malicious sites.
Organizations using affected versions of Action Pack should immediately implement mitigations including upgrading to patched versions of the framework, implementing additional input validation measures, and reviewing existing CSP configurations to ensure they properly account for non-html response handling. The vulnerability aligns with CWE-79 which classifies cross-site scripting flaws, and maps to ATT&CK technique T1059.007 for script injection attacks. Security teams should also consider implementing web application firewalls that can detect and block suspicious payloads in non-html responses, and conduct thorough code reviews to identify potential injection points in applications that may be affected by this specific vulnerability in the framework's handling of various response types.