Ruby framework weak secret key - Vulnerability Database

Ruby framework weak secret key

Description

This application uses a weak or default secret key to sign session cookies in a Ruby-based web framework (such as older versions of Rails or frameworks using Rack::Session::Cookie). The secret key is used to cryptographically sign session data to prevent tampering. When this key is weak, predictable, or publicly known, attackers can forge valid session cookies with arbitrary data.

Remediation

Immediately replace the weak secret key with a cryptographically strong random value. Generate a new secret key using a secure random generator with at least 64 characters (128+ recommended). Ensure the key is stored securely outside of version control (use environment variables or secure configuration management).

For Rails applications, generate a new secret:

rake secret

Then update your configuration:

# config/credentials.yml.enc or config/secrets.yml
secret_key_base: <generated_secret_here>

# Or use environment variable
# config/initializers/secret_token.rb
YourApp::Application.config.secret_key_base = ENV['SECRET_KEY_BASE']

For Rack-based applications:

use Rack::Session::Cookie, :secret => ENV['SESSION_SECRET']
# Ensure SESSION_SECRET is set to a long random string

After changing the secret, all existing sessions will be invalidated and users will need to re-authenticate.

References

Rails

Hanami

Sinatra

Related Vulnerabilities

Severity

High

Classification

CWE-693

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N