A critical vulnerability in Ruby on Rails’ Cross-Site Request Forgery (CSRF) protection mechanism has been identified, affecting all versions since the 2022/2023 “fix” and persisting in the current implementation.
This flaw undermines the framework’s ability to secure applications against CSRF attacks, potentially allowing attackers to forge or replay tokens and execute unauthorized actions on behalf of users.
https://gbhackers.com/ruby-on-rails-vulnerability/