CISA Alerts on Active Exploit of Ruby on Rails Path Traversal Flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of a critical path traversal vulnerability in Ruby on Rails, designated as CVE-2019-5418.

The agency added this five-year-old security flaw to its Known Exploited Vulnerabilities (KEV) catalog on July 7, 2025, signaling that threat actors are actively leveraging this vulnerability in real-world attacks.

Critical Vulnerability Details

The vulnerability affects Ruby on Rails’ Action View component, a core framework element responsible for rendering web application views.

The flaw allows attackers to exploit specially crafted HTTP accept headers in combination with calls to render file: functions, potentially exposing arbitrary files on target servers.

This path traversal weakness, classified under CWE-22, enables unauthorized access to sensitive system files that should remain protected from external access.

Security researchers have demonstrated that malicious actors can manipulate accept headers to traverse directory structures and access files outside the intended application ...