CVE-2014-0130

What Is Ruby on Rails?

Ruby on Rails is the most widely used full-stack web framework for the Ruby programming language. It powers a large portion of web applications — including GitHub, Shopify, Basecamp, and many others — and is the default framework for Ruby-based API services, admin panels, and customer-facing applications. Its "convention over configuration" design means many Rails applications rely on implicit, default behavior in routing and rendering, including the implicit render feature at the center of this vulnerability.

Overview

CVE-2014-0130 is a directory traversal vulnerability in Ruby on Rails's implicit-render implementation. When a controller action has no explicit render call, Rails automatically looks up a template whose path is derived from the action name. Because Rails failed to sanitize path components in the resolved template name, an attacker could craft a URL whose action name contained ../ sequences, causing Rails to render arbitrary files on the filesystem — including application configuration files, credential stores, and source code.

Affected Versions

Technical Details

Root Cause: Missing Path Sanitization in AbstractController

Ruby on Rails controllers typically include an action method that explicitly calls render. If no render call is made, the framework uses implicit rendering: it derives the template filename from the action name and renders it automatically. The vulnerability is in actionpack/lib/abstract_controller/base.rb, where the derived template path was not sanitized for directory traversal sequences.

An attacker could craft a request that maps to an action name like ../../config/database, causing Rails to attempt rendering ../../config/database.yml.erb — resolving to config/database.yml relative to the app root. This file contains database credentials in plaintext.

Example attack request:

GET /users/..%2F..%2Fconfig%2Fdatabase HTTP/1.1
Host: target.example.com

For the traversal to work, the application routing must have a route that maps the action segment, and the target file must exist and be readable by the Rails process. Files that could be exposed include config/database.yml, config/secrets.yml, .env files, or any other plaintext file the web server process can read.

Attack Characteristics

Discovery

The vulnerability was identified through security research and reported to the Rails security team in early May 2014. The Rails team published a coordinated security advisory on May 6, 2014, releasing patched versions simultaneously.

Exploitation Context

• No authentication required — any remote attacker targeting a vulnerable Rails application is at risk
• Automated scanning tools quickly incorporated this CVE; exploitation was widespread against exposed Rails deployments
• High-value targets include config/database.yml (database credentials), config/secrets.yml (secret keys for session signing), and .env files (API keys, service credentials)
• Leaking database credentials can enable a secondary SQL injection or direct database connection attack
• CISA added this to KEV in March 2022, confirming active exploitation continued years after the patch was available

Remediation

1. Upgrade Rails to version 3.2.18, 4.0.5, or 4.1.1 (or later). Verify with bundle exec rails --version in the application directory.

2. Audit routes for any routes that use catch-all or dynamic action name parameters without explicit rendering — these patterns carry higher risk.

3. Review application logs for path traversal attempts: look for ../ or URL-encoded equivalents (%2F, %2e) in action path segments.

4. Restrict file system permissions on the Rails process user to limit what files can be read even if a traversal is attempted.

5. If upgrading is not immediately possible: disable implicit rendering for sensitive controllers by adding explicit render calls to all actions.