Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

0
Medium
Published: 07/10/2026 (07/10/2026, 20:37:15 UTC)
Source: GCVE Database
Product: secure_headers

Description

The secure_headers RubyGem versions prior to 7.3.0 contain a vulnerability where untrusted input passed to certain Content-Security-Policy (CSP) directives (:sandbox, :plugin_types, :report_to) is not properly sanitized. This allows injection of arbitrary CSP directives by including semicolons and newline characters, which can override the intended strict script-src policy and enable unsafe inline scripts. This effectively creates an XSS vector despite a strict global CSP configuration. The vulnerability also allows attackers to redirect CSP violation reports to attacker-controlled endpoints. The issue is fixed in version 7.3.0.

CVSS v3.1

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected software

RubyGemsghsa
secure_headers
Affected versions
<7.3.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:48:52 UTC

Technical Analysis

secure_headers builds the Content-Security-Policy header by concatenating directives. Three directive builders (for :sandbox, :plugin_types, and :report_to) interpolate caller-supplied strings without sanitizing semicolons, carriage returns, or newlines. This enables attackers to inject additional CSP directives, including a script-src directive with 'unsafe-inline', which takes precedence due to CSP's first-occurrence rule, effectively bypassing the configured strict script-src policy. This can lead to full XSS exploitation where untrusted input reaches these directives. Additionally, attackers can redirect CSP violation reports to their infrastructure, leaking sensitive information. The vulnerability affects versions prior to 7.3.0, which introduced proper sanitization. Applications using static values for these directives are not vulnerable, but those passing user-controlled input must upgrade and sanitize inputs.

Potential Impact

An attacker able to supply untrusted input to the vulnerable CSP directives can inject arbitrary CSP directives, including a permissive script-src 'unsafe-inline' policy, enabling cross-site scripting (XSS) attacks despite a strict global CSP. This undermines the security guarantees of the CSP, potentially allowing script injection and execution. Additionally, attackers can redirect CSP violation reports to attacker-controlled endpoints, leaking URLs, source files, and other sensitive data useful for reconnaissance. Applications not passing user input to these directives are not impacted. The vulnerability is moderate in severity due to the requirement of user input control and some attack complexity.

Mitigation Recommendations

Upgrade to secure_headers version 7.3.0 or later, which includes the fix that properly sanitizes input for the affected CSP directives. Until upgrading, sanitize any user-controlled input passed to :sandbox, :plugin_types, or :report_to directives by rejecting or stripping semicolons (';'), carriage returns ('\r'), and newlines ('\n') before passing them to SecureHeaders.override_content_security_policy_directives, append_content_security_policy_directives, or use_content_security_policy_named_append. Applications that only use static values for these directives do not require additional action beyond upgrading.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-rqq5-2gf9-4w4q
Osv Schema Version
1.4.0
Aliases
["CVE-2026-54163"]
Ecosystems
["RubyGems"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a520eb168715ace438f4ff7

Added to database: 07/11/2026, 09:36:49 UTC

Last enriched: 07/11/2026, 09:48:52 UTC

Last updated: 07/12/2026, 03:34:00 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses