Ruby on Rails security glitch puts thousands of websites at risk
Researchers sound alarm following discovery of "multiple weaknesses" in software development framework.
The discovery of a Ruby on Rails (RoR) security vulnerability could put hundreds of thousands of websites across the globe at risk of getting hacked, it has been claimed.
According to a security advisory posted to a RoR security discussion list, "multiple weaknesses" have been found in parts of the framework's coding, which could allow hackers to compromise websites that use the platform.
It is claimed that more than 240,000 websites use RoR.
"There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL...and execute arbitrary code or perform a denial of service attack on a Rails application," the advisory states.
All versions of RoR are reportedly affected by the glitch, which security researchers claim means any apps or websites based on the framework could potentially be at risk of attack.
"Due to the critical nature of this vulnerability, and the fact portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the workarounds immediately," the statement added.
A list of the available workarounds is available here.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
In a blog post, HD Moore, chief security officer at security vendor Rapid7, said the vulnerability could put "thousands" of production websites at risk of remote compromise.
"These kinds of bugs are close to my heart, as [this site] is written in Ruby," he wrote.
"We marshaled the troops and released a security update for users, updated all of our own applications with the workaround," Moore added.
Caroline Donnelly was the news and analysis editor of IT Pro. Previously, she worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.
-
ITPro is 20!We take a look back on the past two decades since ITPro launched...
-
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaignNews The tie-up includes a new model of industrialized ransomware deployment that significantly lowers the barrier to entry for cyber crime
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security