CVE-2025-55193
EPSS 0.35%Active Record logging vulnerable to ANSI escape injection
Published: 8/13/2025Modified: 2/5/2026
Description
This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability
Affected packages (2)
- Debian/railsfrom 0, < 2:6.0.3.7+dfsg-2+deb11u4
- RubyGems/activerecord>= 8.0, < 8.0.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-55193
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-55193
- PATCHhttps://github.com/rails/rails
- WEBhttps://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
- WEBhttps://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
- WEBhttps://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202
- WEBhttps://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2025-55193.yml