Skip to main content

cve-2015-3224-rails-rce-web-console

CVE-2015-3224: Rails RCE (Web Console)

success

https://hackerone.com/reports/44513

CVE-2015-3224 is a Remote Code Execution (RCE) vulnerability in Ruby on Rails caused by an insecure implementation of the Rails Web Console feature.

The vulnerability allows an attacker to execute arbitrary Ruby code remotely by abusing how Rails determines whether a request is coming from a “trusted” IP address.

Affected Component

  • Rails Web Console
  • Enabled by default in development mode
  • Intended to be accessible only from localhost

Affected Rails versions:

  • Rails 4.0.x
  • Rails 4.1.x
  • Rails 4.2.x
    (unpatched versions)

Root Cause

Rails Web Console restricts access using IP-based trust checks.

The problem:

  • Rails trusted the X-Forwarded-For HTTP header
  • The IP validation logic was incorrect
  • Attackers could spoof their IP and bypass the restriction

As a result, an attacker could:

  • Trick Rails into thinking the request came from 127.0.0.1
  • Gain access to the interactive Ruby console
  • Execute arbitrary Ruby code on the server

How the Vulnerability Works

Rails checks:

request.remote_ip

But:

  • remote_ip is derived from X-Forwarded-For
  • The parsing logic was flawed
  • Supplying multiple IPs could bypass validation

Example malicious header:

X-Forwarded-For: 127.0.0.1, 8.8.8.8
X-Forwarded-For: 0000::1

Rails incorrectly trusted the request as coming from localhost.

TODO image