[CVE-2025-55193] ANSI escape injection in Active Record logging

jhawthorn · August 13, 2025, 8:46pm

This vulnerability has been assigned the CVE identifier CVE-2025-55193

Impact

The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

Releases

The fixed releases are available at the normal locations.

Credits

Thanks to lio346 for reporting this vulnerability

CVE-2025-55193
GHSA-76r7-hhxj-r776

Versions affected

activerecord >= 8.0, < 8.0.2.1 (patched in 8.0.2.1)
activerecord >= 7.2, < 7.2.2.2 (patched in 7.2.2.2)
activerecord >= 0, < 7.1.5.2 (patched in 7.1.5.2)

Topic		Replies	Views
[CVE-2023-22794] SQL Injection Vulnerability via ActiveRecord comments Security Announcements patch , activerecord , security	0	31089	January 17, 2023
Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1, and rails-html-sanitizer 1.0.3 have been released! rubyonrails-talk announcement	6	266	January 27, 2016
Binary / ESC in dev log rubyonrails-talk	0	147	October 21, 2006
ActiveRecord + Postgres + \000 = BOOM rubyonrails-talk	1	132	February 2, 2007
Rails 3.0.10 rubyonrails-talk announcement	0	152	August 16, 2011

[CVE-2025-55193] ANSI escape injection in Active Record logging

Impact

Releases

Credits

Versions affected

Patches

More Resources

[CVE-2025-55193] ANSI escape injection in Active Record logging

Impact

Releases

Credits

Versions affected

Patches

Related topics

More Resources