CVE-2016-0752

HIGH KEV

Ruby on Rails Dynamic Render File Upload Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2016-0752 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 4 public exploits from researchers including Metasploit, forced-request, dachidahu, including a Metasploit module exploits/multi/http/rails_dynamic_render_code_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-0752, a remote code execution vulnerability in Ruby on Rails' dynamic render method. It uploads a malicious file via a POST request and triggers execution by manipulating the render path.

Description

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/40561

This Metasploit module exploits CVE-2016-0752, a remote code execution vulnerability in Ruby on Rails' dynamic render method. It uploads a malicious file via a POST request and triggers execution by manipulating the render path.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails (tested on 4.0.8, affects multiple versions)
No auth needed
Prerequisites: Vulnerable Ruby on Rails application with dynamic render paths · Access to a POST endpoint for file upload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by forced-request · poc
https://github.com/forced-request/rails-rce-cve-2016-0752

This repository contains a functional Rails application demonstrating CVE-2016-0752, a dynamic render vulnerability leading to RCE. The vulnerable endpoint in `UserController` allows arbitrary file rendering, which can be exploited to execute code via crafted requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails (versions before 4.2.5.1, 4.1.14.1, 3.2.22.1)
No auth needed
Prerequisites: Access to a vulnerable Rails application with exposed dynamic render functionality
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by dachidahu · poc
https://github.com/dachidahu/CVE-2016-0752

This repository contains a functional Rails application demonstrating CVE-2016-0752, a dynamic render vulnerability leading to RCE. The vulnerable code is in `UserController#show`, which directly renders user-supplied input without validation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails (versions affected by CVE-2016-0752)
No auth needed
Prerequisites: Access to the vulnerable endpoint (`/users/dashboard`)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by mr_me <[email protected]>, John Poulin (forced-request) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb

This Metasploit module exploits CVE-2016-0752, a remote code execution vulnerability in Ruby on Rails' dynamic render method. It uploads a malicious file via a POST request and triggers execution by leveraging user parameters in the render function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails (tested on 4.0.8, affects multiple versions)
No auth needed
Prerequisites: Vulnerable Rails endpoint with dynamic render paths · POST endpoint for file upload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40561/
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
Exploit, Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/25/13
Permissions Required vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/81801
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034816
Permissions Required vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3464
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0296.html

Scores

CVSS v3 7.5
EPSS 0.9049
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2022-03-25
VulnCheck KEV 2019-12-17
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2017-0333
CWE
CWE-22
Status published
Products (9)
debian/debian_linux 8.0
opensuse/leap 42.1
opensuse/opensuse 13.2
redhat/software_collections 1.0
rubygems/actionpack 4.0.0 - 4.1.14.1RubyGems
rubygems/actionview 4.0.0 - 4.1.14.1RubyGems
rubyonrails/rails 5.0.0 beta1
rubyonrails/rails < 3.2.22.1
suse/linux_enterprise_module_for_containers 12
Published Feb 16, 2016
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026