GHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
The secure_headers RubyGem versions prior to 7.3.0 contain a vulnerability where untrusted input passed to certain Content-Security-Policy (CSP) directives (:sandbox, :plugin_types, :report_to) is not properly sanitized. This allows injection of arbitrary CSP directives by including semicolons and newline characters, which can override the intended strict script-src policy and enable unsafe inline scripts. This effectively creates an XSS vector despite a strict global CSP configuration. The vulnerability also allows attackers to redirect CSP violation reports to attacker-controlled endpoints. The issue is fixed in version 7.3.0.
AI Analysis
Technical Summary
secure_headers builds the Content-Security-Policy header by concatenating directives. Three directive builders (for :sandbox, :plugin_types, and :report_to) interpolate caller-supplied strings without sanitizing semicolons, carriage returns, or newlines. This enables attackers to inject additional CSP directives, including a script-src directive with 'unsafe-inline', which takes precedence due to CSP's first-occurrence rule, effectively bypassing the configured strict script-src policy. This can lead to full XSS exploitation where untrusted input reaches these directives. Additionally, attackers can redirect CSP violation reports to their infrastructure, leaking sensitive information. The vulnerability affects versions prior to 7.3.0, which introduced proper sanitization. Applications using static values for these directives are not vulnerable, but those passing user-controlled input must upgrade and sanitize inputs.
Potential Impact
An attacker able to supply untrusted input to the vulnerable CSP directives can inject arbitrary CSP directives, including a permissive script-src 'unsafe-inline' policy, enabling cross-site scripting (XSS) attacks despite a strict global CSP. This undermines the security guarantees of the CSP, potentially allowing script injection and execution. Additionally, attackers can redirect CSP violation reports to attacker-controlled endpoints, leaking URLs, source files, and other sensitive data useful for reconnaissance. Applications not passing user input to these directives are not impacted. The vulnerability is moderate in severity due to the requirement of user input control and some attack complexity.
Mitigation Recommendations
Upgrade to secure_headers version 7.3.0 or later, which includes the fix that properly sanitizes input for the affected CSP directives. Until upgrading, sanitize any user-controlled input passed to :sandbox, :plugin_types, or :report_to directives by rejecting or stripping semicolons (';'), carriage returns ('\r'), and newlines ('\n') before passing them to SecureHeaders.override_content_security_policy_directives, append_content_security_policy_directives, or use_content_security_policy_named_append. Applications that only use static values for these directives do not require additional action beyond upgrading.
GHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Description
The secure_headers RubyGem versions prior to 7.3.0 contain a vulnerability where untrusted input passed to certain Content-Security-Policy (CSP) directives (:sandbox, :plugin_types, :report_to) is not properly sanitized. This allows injection of arbitrary CSP directives by including semicolons and newline characters, which can override the intended strict script-src policy and enable unsafe inline scripts. This effectively creates an XSS vector despite a strict global CSP configuration. The vulnerability also allows attackers to redirect CSP violation reports to attacker-controlled endpoints. The issue is fixed in version 7.3.0.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
secure_headers builds the Content-Security-Policy header by concatenating directives. Three directive builders (for :sandbox, :plugin_types, and :report_to) interpolate caller-supplied strings without sanitizing semicolons, carriage returns, or newlines. This enables attackers to inject additional CSP directives, including a script-src directive with 'unsafe-inline', which takes precedence due to CSP's first-occurrence rule, effectively bypassing the configured strict script-src policy. This can lead to full XSS exploitation where untrusted input reaches these directives. Additionally, attackers can redirect CSP violation reports to their infrastructure, leaking sensitive information. The vulnerability affects versions prior to 7.3.0, which introduced proper sanitization. Applications using static values for these directives are not vulnerable, but those passing user-controlled input must upgrade and sanitize inputs.
Potential Impact
An attacker able to supply untrusted input to the vulnerable CSP directives can inject arbitrary CSP directives, including a permissive script-src 'unsafe-inline' policy, enabling cross-site scripting (XSS) attacks despite a strict global CSP. This undermines the security guarantees of the CSP, potentially allowing script injection and execution. Additionally, attackers can redirect CSP violation reports to attacker-controlled endpoints, leaking URLs, source files, and other sensitive data useful for reconnaissance. Applications not passing user input to these directives are not impacted. The vulnerability is moderate in severity due to the requirement of user input control and some attack complexity.
Mitigation Recommendations
Upgrade to secure_headers version 7.3.0 or later, which includes the fix that properly sanitizes input for the affected CSP directives. Until upgrading, sanitize any user-controlled input passed to :sandbox, :plugin_types, or :report_to directives by rejecting or stripping semicolons (';'), carriage returns ('\r'), and newlines ('\n') before passing them to SecureHeaders.override_content_security_policy_directives, append_content_security_policy_directives, or use_content_security_policy_named_append. Applications that only use static values for these directives do not require additional action beyond upgrading.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-rqq5-2gf9-4w4q
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54163"]
- Ecosystems
- ["RubyGems"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a520eb168715ace438f4ff7
Added to database: 07/11/2026, 09:36:49 UTC
Last enriched: 07/11/2026, 09:48:52 UTC
Last updated: 07/12/2026, 03:34:00 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.