CVE-2020-8163 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-8163 PUBLISHED

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.

EPSS 90.93% · 99.6th percentile

Risk Scores

EPSS Score

90.93%

99.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:24.04:LTS	rails	0, 2:6.1.7.3+dfsg-3, 2:6.1.7.3+dfsg-2build1
Ubuntu:Pro:20.04:LTS	rails	, , 2:5.2.3+dfsg-3
Ubuntu:Pro:16.04:LTS	rails	*, 0, 2:4.1.10-1
Ubuntu:Pro:18.04:LTS	rails	2:4.2.10-0ubuntu4, *, 2:4.2.10-0ubuntu4+esm1
Ubuntu:25.10	rails	, 0,
Ubuntu:Pro:22.04:LTS	rails	2:6.0.3.7+dfsg-2, 0, *

Timeline

Jul 2, 2020 CVE Published
Jul 27, 2020 PoC Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Nov 21, 2024 CVE Updated
Mar 27, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Mar 30, 2025 EPSS Score
May 1, 2025 EPSS Score
May 4, 2025 EPSS Score
May 25, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2020-8163 third-party-advisory
https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released/ third-party-advisory
https://github.com/rails/rails/commit/4c46a15e0a7815ca9e4cd7c7fda042eb8c1b7724 third-party-advisory
https://github.com/rails/rails/commit/1f3db0ad793441a0c00e85d56228fc80aafbe6c1 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-8163 third-party-advisory

Open in Interactive Console →