All Sprockets CVEs — Complete Vulnerability History
Sprockets is Rails' asset pipeline. Path traversal vulnerabilities have appeared multiple times — it processes file paths from user-influenced asset URLs.
Ruby
2M+ weekly downloads
3 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-3760 | 2018 | HIGH | Path traversal in asset serving | Fixed 2.12.5 |
| CVE-2020-8184 | 2020 | HIGH | Path traversal in asset serving (bypass) | Fixed 3.7.2 |
| CVE-2022-25902 | 2022 | HIGH | Path traversal via specially crafted filenames | Fixed 4.1.0 |
Current safe version: 4.2.1
# Before gem 'sprockets', '3.7.2'
# After gem 'sprockets', '4.2.1'
Then run: bundle install
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does Rails 7 use Sprockets?
Rails 7 ships with Sprockets as one option but also supports Propshaft and import maps. New Rails 7 apps can avoid Sprockets entirely — which also avoids its CVE surface.