Rails Active Record: ANSI escape injection in Rails Active Record logging (CVE-2025-55193) #shorts

Summary

Host: Welcome to Secure Rails Today. In this episode, we spotlight CVE-2025-55193, an ANSI escape injection vulnerability discovered in Rails’ Active Record logging. This flaw could allow an attacker to embed control sequences in record IDs, altering or obfuscating terminal output when logs are printed directly to the console. Versions prior to 7.1.5.2, 7.2.2.2, and 8.0.2.1 are affected and have received patches.

Product details

Host: The issue resides in Ruby on Rails, specifically the Active Record component that maps Ruby classes to database tables. Affected releases include all Rails versions from initial releases up to 7.1.5.1, 7.2.0 through 7.2.2.1, and 8.0.0 through 8.0.2.0. The vulnerability was disclosed by GitHub’s security team on August 13, 2025, and fixed in the subsequent maintenance releases 7.1.5.2, 7.2.2.2, and 8.0.2.1.

Vulnerability type summary

Host: CVE-2025-55193 is classified under CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences. In simpler terms, Rails was logging untrusted input—record IDs—without sanitizing or escaping ANSI control sequences, enabling attackers to inject terminal commands or manipulate log appearance.

Details of the vulnerability

Host: Active Record’s find methods accept an ID parameter and log it when an entry is retrieved. If an attacker can influence that ID—through user input, malformed URLs, or malicious payloads—the unescaped ANSI sequences slip directly into the log output. On terminals that honor those sequences, this could change text color, move the cursor, hide text, or even replay earlier log lines. While it doesn’t execute arbitrary code on the server, it can conceal malicious activity, confuse operators, or trick automation that parses logs. The Rails team addressed this by escaping control characters before logging IDs in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

Conclusion

Host: If you run any Rails app with Active Record logging to a terminal, update immediately to 7.1.5.2, 7.2.2.2, or 8.0.2.1. Review your logging pipeline and ensure you’re not exposing untrusted data directly to terminal output. Stay on the lookout for other control-sequence injection issues, and subscribe to security advisories for timely updates. Thanks for listening to Secure Rails Today—secure coding starts with vigilance.

Watch the full video on YouTube: CVE-2025-55193

Remediation and exploitation details

This chain involves the following actors

  • Malicious User: Supplies crafted record identifiers containing escape codes
  • Developer or System Administrator: Runs and maintains the web application and logging environment

This following systems are involved

  • Rails Active Record (Maps application objects to database tables and logs queries): Logs incoming record identifiers without escaping special codes
  • Terminal (Displays log output to administrator): Interprets and renders escape codes sent in log lines

Attack entry point

  • Record lookup method: The method that looks up a record by identifier (for example, find or find_by) which writes the raw identifier into the log

Remediation actions

Developer
Upgrade Rails to version 7.1.5.2, 7.2.2.2, or 8.0.2.1
Rails Active Record
Developer
Implement escaping of special characters in logged identifiers
Rails Active Record
System Administrator
Configure log filters to strip escape codes before display
Terminal or logging aggregator

Exploitation actions

Inject escape sequences into a parameter used as a lookup key

Malicious User
Crafts a record identifier containing escape codes
Rails Active Record
Examples:
  • identifier = "ALERT!"

Invoke the lookup endpoint or console command that logs the identifier

Malicious User
Sends a request to the application that triggers a lookup with the malicious identifier
Rails Active Record
Examples:
  • GET /users/\u001b[31mALERT!\u001b[0m

Write the malicious identifier directly to the log output

Rails Active Record
Logs the raw identifier without filtering or escaping
Rails Active Record
Examples:

Render text color changes, clear lines, or disguise entries to hide real events

Terminal
Receives log output containing escape codes and processes them
Terminal
Examples:
  • Logs appear in red, or benign log lines are pushed off screen

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-55193
Description
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.
Provider
GitHub_M
CWE / problem types
CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
Affected Software Versions
rails:rails:[{'version': '>= 0, < 7.1.5.2', 'status': 'affected'}, {'version': '>= 7.2, < 7.2.2.2', 'status': 'affected'}, {'version': '>= 8.0, < 8.0.2.1', 'status': 'affected'}]
Date Published
2025-08-13T22:41:41.890Z
Last Updated
2025-08-14T14:51:11.284Z