May 6, 2014: CVE-2014-0130 Directory Traversal Vulnerability

There is a directory traversal vulnerability in Ruby on Rails. This security update contains the following sections:

  • Issue - security vulnerability summarized.
  • Solution - the recommended solution for most cases.
  • Workaround - alternatives in case you cannot upgrade now or have older versions.
  • FAQs - frequently asked questions.
  • More information - helpful links related to this security vulnerability.


A security vulnerability was released May 6th, 2014:

Directory traversal vulnerability in Ruby on Rails

There is a directory traversal vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130.

Versions Affected: All supported versions.

Not affected: NONE.

Fixed Versions: 4.1.1, 4.0.5, 3.2.18


Upgrade Ruby on Rails to the following versions: 4.1.1, 4.0.5, 3.2.18.

Note: We understand that you may not be able to upgrade your version of Ruby on Rails. In this case, implement the workaround described in the next section.


If you are not able to upgrade soon you can apply one of the patches attached to the original CVE-2014-0130 advisory:

  • 4-1-directory_traversal.patch - Patch for 4.1 series
  • 4-0-directory_traversal.patch - Patch for 4.0 series
  • 3-2-directory_traversal.patch - Patch for 3.2 series


How can I tell which versions I have now?

You can verify the versions you are using with:

machine user$ bundle list rails

More information

For more information about ...See ...

The amended announcement

CVE-2014-0130 AMENDED

The original announcement with the workaround patches


Ruby on Rails releases

RoR releases

If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.


Please sign in to leave a comment.

Powered by Zendesk