Ruby on Rails Vulnerability Let Bypass CSRF Protections

Security experts revealed a critical vulnerability in Ruby on Rails that allows attackers to bypass Cross-Site Request Forgery (CSRF) protections.

The flaw, disclosed on April 26, 2025, affects all current versions of the popular web framework and all versions since the 2022/2023 supposed “fix” for similar issues.

The vulnerability emerges from a fundamental flaw in Rails’ CSRF token implementation. The framework generates these security tokens using a random “one time pad” (OTP) XORed with a “raw token.”

However, in a critical oversight, Rails packages both the OTP and the XORed token together through simple concatenation, creating what it calls a “masked token.”

This implementation error means attackers can easily decode CSRF tokens and generate new valid ones, completely circumventing the protection mechanism designed to prevent cross-site attacks.

Since the cryptographic key (the OTP) is sent alongside the encrypted data, the security measure is fundamentally compromised.

Seclists analysts and researchers noted that this vulnerability represents a significant security risk for thousands of websites built using Rails.

The flaw effectively nullifies a critical security layer that many developers rely on to protect their applications from malicious actors.

The vulnerability was first reported by security researcher Daniel Owens, who provided comprehensive evidence of the flaw.

His disclosure indicates this is essentially the same vulnerability that Rails developers believed they had fixed in updates released in 2022/2023.

Technical Analysis of the Vulnerability

The technical root of the vulnerability lies in the mask_token method within the Rails codebase. This method is responsible for creating the “masked” version of the authenticity token that’s meant to vary with each request to mitigate SSL attacks like BREACH.

The problematic implementation can be seen in the following code snippet:-

def mask_token(raw_token)
  one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
  encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
  masked_token = one_time_pad + encrypted_csrf_token
  encode_csrf_token(masked_token)
end

As evident in this code, Rails generates a random one-time pad and uses it to encrypt the token through an XOR operation.

It then simply concatenates the encryption key with the encrypted data before sending it to users, violating a fundamental principle of cryptographic security.

Owens demonstrated the vulnerability with JavaScript code that easily extracts the encryption key and forges new valid tokens:-

function getCsrfToken(otp, raw_token) {
  var masked_token = new Uint8Array(raw_token.length);
  for(var i = 0; i  String.fromCharCode(b)).join('')).replace(/=+$/, '');
}

This exploit allows attackers to craft malicious requests that bypass CSRF protection, potentially leading to unauthorized actions performed on behalf of authenticated users on vulnerable Rails applications.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Ruby on Rails Vulnerability Let Bypass CSRF Protections appeared first on Cyber Security News.