Debian 11 Rails Critical RCE Vulnerability DLA-4578-1 CVE-2022-32224
debian lts
May 11, 2026
A RCE (Remote Code Execution) escalation was discovered in Ruby on Rails, a MVC Ruby-based framework for web development
Topics Covered
Summary
This vulnerability exists when using YAML-serialized columns in Active
Record which could allow an attacker, who was able to manipulate data
in the database (via means like SQL injection), the ability to
escalate to an RCE.
Common and safe YAML serialization is handled in this update (support
for primary Ruby data types and Symbol, as well as newly-serialized
HashWithIndifferentAccess objects).
If your application serializes other classes as YAML, see the
following page to reference these classes in
config.active_record.yaml_column_permitted_classes, or disable
protection entirely (not recommended, at your own risks) with
config.active_record.use_yaml_unsafe_load=true.
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
For Debian 11 bullseye, this problem has been fixed in version
2:6.0.3.7+dfsg-2+deb11u5.
We recommend that you upgrade your rails packages.
For the detailed security status of rails please refer to
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: rails
Version: 2:6.0.3.7+dfsg-2+deb11u5
CVE ID: CVE-2022-32224
Debian Bug: 1016140
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!