Cyber Resilience

CVE-2019-5418

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 27 March 2019

Published
27 March 2019
Modified
30 October 2025
KEV Added
07 July 2025
Patch
22 March 2019
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9432 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-5418 is a high-severity Path Traversal (CWE-22) vulnerability in Rubyonrails Rails. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-5418 is a file content disclosure vulnerability affecting Action View in Ruby on Rails versions prior to 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1, and all v3 releases. It is triggered when the component processes specially crafted Accept headers, allowing exposure of arbitrary file contents from the target system's filesystem. The issue is tracked under CWE-22 with a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high confidentiality impact without requiring authentication or user interaction.

An unauthenticated remote attacker can send a crafted HTTP request containing a malicious Accept header to any Rails application using the vulnerable Action View component. Successful exploitation results in the server returning the contents of arbitrary files readable by the application process, enabling disclosure of sensitive configuration data, source code, or other filesystem artifacts.

Advisories from Red Hat (RHSA-2019:0796, RHSA-2019:1147) and openSUSE provide patched packages that address the flaw, while additional references such as oss-security and Packet Storm listings document the same update path for mitigation. No information on observed in-the-wild exploitation is supplied in the source references.

EU & UK References

Vulnerability details

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

CWE(s)
KEV Date Added
07 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rubyonrails
rails
3.0.0 — 4.2.11.1 · 5.0.0 — 5.0.7.2 · 5.1.0 — 5.1.6.2
debian
debian linux
8.0
redhat
cloudforms
4.6, 4.7
opensuse
leap
15.0
fedoraproject
fedora
30
redhat
software collections
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the crafted Accept header that triggers path traversal and arbitrary file disclosure in Action View.

prevent

Enforces information-flow rules so the application cannot return filesystem contents outside the intended web-root scope.

prevent

Requires prompt application of the vendor patches (5.2.2.1, 5.1.6.2, etc.) that close the Accept-header flaw.

References