CVE-2023-50725

Resque vulnerable to reflected XSS in resque-web failed and queues lists

Description

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=<script>alert(document.cookie)</script>" and "/queues/><img src=a onerror=alert(document.cookie)>". This issue has been patched in version 2.2.1.

Category

6.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.66%
Vendor Advisory github.com
Affected: resque resque
Published at:
Updated at:

References

Link Tags
https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8 patch vendor advisory
https://github.com/resque/resque/pull/1790 patch
https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07 patch
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-50725?
CVE-2023-50725 has been scored as a medium severity vulnerability.
How to fix CVE-2023-50725?
To fix CVE-2023-50725, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-50725 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-50725 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-50725?
CVE-2023-50725 affects resque resque.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.