PackageFix / Fix Guides / Ruby / Ransack

All Ransack CVEs — Complete Vulnerability History

Ransack is the most popular Ruby gem for search and filtering in Rails apps. Its main CVE is a critical SQL injection via crafted sort parameters — a very common attack surface.

Ruby 500K+ weekly downloads 1 CVE total 1 CRITICAL

Full CVE history

CVEYearSeverityDescriptionFix
CVE-2022-359562022CRITICALSQL injection via crafted sort parametersFixed 3.1.0

Current safe version: 4.1.1

# Before
gem 'ransack', '3.2.1'
# After
gem 'ransack', '4.1.1'

Then run: bundle install

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How does Ransack SQL injection work?
CVE-2022-35956 allows an attacker to inject SQL via the sort parameter (e.g., ?q[s]=name+asc;DROP+TABLE+users). Update to 3.1.0+ which sanitizes sort parameters. Also consider allowlisting sortable columns.

Related

Fix Rails

Rails CVE history

Ruby Security

All Ruby guides