False positive for actionpack 7.2.3 et alΒ #915
Description
Rails 7.3.2 has just been released. On upgrading, bundler audit is now complaining about CVE-2024-54133, CVE-2025-55193, and CVE-2025-24293.
CVE-2024-54133 was fixed in 7.2.2.1. The version spec below mentions ~> 7.2.2.1, which I believe doesn't match 7.2.3. I imagine the other CVEs have similar version mismatches.
Download ruby-advisory-db ...
Cloning into '/home/runner/.local/share/ruby-advisory-db'...
ruby-advisory-db:
advisories: 1032 advisories
last updated: 2025-10-23 12:50:11 -0700
commit: c506afcbb18a7062701940fe5c58ccc1698e15d4
Name: actionpack
Version: 7.2.3
CVE: CVE-2024-54133
GHSA: GHSA-vfm5-rmrh-j26v
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
Title: Possible Content Security Policy bypass in Action Dispatch
Solution: update to '~> 7.0.8.7', '~> 7.1.5.1', '~> 7.2.2.1', '>= 8.0.0.1'
Name: activerecord
Version: 7.2.3
CVE: CVE-2025-55193
GHSA: GHSA-76r7-hhxj-r776
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
Title: Active Record logging vulnerable to ANSI escape injection
Solution: update to '~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1'
Name: activestorage
Version: 7.2.3
CVE: CVE-2025-24293
GHSA: GHSA-r4mg-4433-c7g3
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
Title: Active Storage allowed transformation methods that were potentially unsafe
Solution: update to '~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1'
Vulnerabilities found!
Thanks!