What is CVE-2019-5418?

CVE-2019-5418 is a vulnerability in Rails Https://github.com/rails/rails, classified under Path Traversal. Published 2019-03-27.

Is CVE-2019-5418 known to be exploited?

Yes. CVE-2019-5418 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-07-07), indicating it is being actively exploited. 71 public proof-of-concept repositories are indexed.

Path Traversal in Rails Https://github.com/rails/rails

CVE-2019-5418

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.943 (100.0th percentile) — read the EPSS interpretation.

Affected products

Rails Https://github.com/rails/rails — versions 5.2.2.1, 5.1.6.2, 5.0.7.2

Weakness classification (CWE)

CWE-22 — Path Traversal

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2025-07-07. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2025-07-28.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public proof-of-concept exploits

References

46585 (exploit, x_refsource_EXPLOIT-DB)
packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclos… (x_refsource_MISC)
[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View (mailing-list, x_refsource_MLIST)
weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ (x_refsource_CONFIRM)
groups.google.com/forum/ (x_refsource_CONFIRM)
[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update (mailing-list, x_refsource_MLIST)
RHSA-2019:0796 (vendor-advisory, x_refsource_REDHAT)
openSUSE-SU-2019:1344 (vendor-advisory, x_refsource_SUSE)
FEDORA-2019-1cfe24db5c (vendor-advisory, x_refsource_FEDORA)
RHSA-2019:1149 (vendor-advisory, x_refsource_REDHAT)

Frequently asked questions

What is CVE-2019-5418?: CVE-2019-5418 is a vulnerability in Rails Https://github.com/rails/rails, classified under Path Traversal. Published 2019-03-27.
Is CVE-2019-5418 known to be exploited?: Yes. CVE-2019-5418 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-07-07), indicating it is being actively exploited. 71 public proof-of-concept repositories are indexed.