GHSA-MPWP-4H2M-765C
8.70.10%
Active Job's Identity Crisis: Object Injection in Rails 4.2
Amit Schendel
Senior Security ResearcherJan 17, 2026·6 min read·2 visits
PoC Available
Executive Summary (TL;DR)
Active Job tried to be too smart for its own good. In early Rails 4.2 betas, it automatically converted any string starting with `gid://` into a Ruby object. Attackers could exploit this to force the application to load and execute the `.find()` method on arbitrary classes, leading to potential authorization bypasses or worse, depending on the available gadgets.
A critical object injection vulnerability in Ruby on Rails' Active Job component (versions < 4.2.0.beta2) allows attackers to instantiate arbitrary application objects by passing specially crafted strings starting with the 'gid://' protocol.
Technical Appendix
CVSS Score
8.7/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NEPSS Probability
0.10%
Affected Systems
Ruby on Rails (Active Job)Applications using GlobalID
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
activejob Rails | < 4.2.0.beta2 | 4.2.0.beta2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-74 (Improper Neutralization of Special Elements) |
| Attack Vector | Network (Job Queue) |
| CVSS v3.1 | 8.7 (High) |
| Impact | Integrity / Object Injection |
| Affected Component | ActiveJob::Arguments#deserialize |
| Exploit Status | PoC Available (Theoretical) |
MITRE ATT&CK Mapping
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.