CVE-2016-0752

What Is Ruby on Rails Action View?

Ruby on Rails is one of the world's most popular web application frameworks, widely used for building web applications across startups, enterprises, and government services. Action View is the Rails component responsible for rendering templates and generating HTML responses. The render method in Action View allows controllers to specify which view template to render — including render :file for rendering arbitrary files from the filesystem.

The render :file functionality, when combined with insufficient path sanitization, provides a path traversal attack vector: if user-supplied input can influence the file path passed to render :file, an attacker may be able to read arbitrary files from the server's filesystem.

Overview

CVE-2016-0752 is a directory traversal vulnerability in Ruby on Rails Action View that allows remote attackers to read arbitrary files from the Rails application server's filesystem. The vulnerability exists in how Action View handles file paths when the render :file option is used — insufficient path sanitization allows path traversal sequences (../) to escape the intended views directory and reference files outside it. An attacker who can influence the rendered file path can read sensitive files including application secrets, database configuration, and system files. Rails released patches in January 2016 across all maintained versions.

Affected Versions

Technical Details

Root Cause: Insufficient Path Sanitization in Action View

CVE-2016-0752 involves insufficient path validation (CWE-22) in Rails Action View's file rendering code. When a Rails controller calls render :file => params[:some_param] (or equivalent) with unsanitized user input, and the Action View code does not properly strip path traversal sequences from the provided path, an attacker can specify:

render :file => "../../../../../../etc/passwd"

Action View constructs the full path by combining the views directory with the provided path — but if traversal sequences are not stripped, the resulting path escapes the views directory and resolves to an arbitrary filesystem location. The rendered "view" returns the file's contents in the HTTP response.

High-Value Targets for Rails File Read

Sensitive files accessible via CVE-2016-0752 on a typical Rails application server:

• config/database.yml — database connection credentials (username, password, host, database name)
• config/secrets.yml or config/credentials.yml.enc — Rails secret key base (enables session forgery), API keys
• .env files — environment variable files containing API credentials, service keys
• /etc/passwd — system user list
• Application source code — business logic, internal API implementations
• Private keys — SSH keys, TLS certificates stored on the server

Attack Characteristics

Discovery

Reported to the Rails security team by Joernchen of Phenoelit. Rails released security patches on January 25, 2016 as part of a coordinated disclosure.

Exploitation Context

• Credential theft and lateral movement: Attackers exploit CVE-2016-0752 to retrieve database credentials from config/database.yml, enabling direct database access for data theft; the Rails secret key base from config/secrets.yml enables forging authenticated session cookies, potentially allowing admin account impersonation
• Reconnaissance for further attacks: File read vulnerabilities are often the first step in a multi-stage attack — reading application configuration reveals the internal architecture, connected services, and credential stores for further exploitation
• Rails widespread deployment: Ruby on Rails powers a large percentage of the web; CVE-2016-0752 affected all maintained Rails versions simultaneously, creating a very wide exposure surface across all Rails applications that included render :file with user-influenced input
• CISA KEV (2022): Added March 2022, confirming continued exploitation against unpatched Rails applications years after the patch

Remediation

1. Update Rails — upgrade to Rails 3.2.22.2, 4.0.13.1, 4.1.14.1, 4.2.5.1 or later. Any current Rails LTS version is patched against CVE-2016-0752.

2. Avoid render :file with user input — audit Rails controllers for any use of render :file, render :template, or similar with user-supplied values; replace with explicit template name lookups or allowlists of permitted templates.

3. Rotate exposed credentials — if the application may have been vulnerable, rotate: database credentials, Rails secret key base (this invalidates all existing sessions), API keys, and any other secrets stored in config/ files.

4. Input validation — for any Rails application feature that renders or serves files, validate that the requested path is within an explicitly permitted directory and does not contain traversal sequences.

5. Application security audit — review the application codebase for any patterns where user-controlled input influences file paths, template names, or file operations.