Ruby on Rails Static Analysis Security Tool

Brakeman 4.2.1 Released

This is a small release to add warnings for CVE-2018-3741 and CVE-2018-8048.

Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs instead.

Changes since 4.2.0:

  • Add warning for CVE-2018-3741
  • Add warning for CVE-2018-8048
  • Scan app/jobs/ directory
  • Handle template_exists? in controllers (#1124)


CVE-2018-3741 is a vulnerability in the rails-html-sanitizer gem which may allow bypassing attribute whitelists and therefore cross-site scripting.



CVE-2018-8048 is a similar vulnerability in the loofah gem.


Scan Jobs

Brakeman will now scan files in the app/jobs/ directory and treat them as additional libraries.


Template Guard Condition

Brakeman will no longer warn about dynamic render paths if template_exists? is used as a guard condition.


A Note on Vulnerabilities in Depdendencies

Brakeman does not warn about all CVEs in application dependencies. There are many better tools that track and detect vulnerable dependencies.

Brakeman only includes warnings about vulnerabilities announced on the Rails Security Mailing List.


The SHA256 sums for this release are:

3ba1cd39d98edcae7a0802ef0206de1438439cfdf4edb559c676877e2c253498  brakeman-4.2.1.gem
54a4aa336f3c21477a9bab12eeba6bb79ffa34a015e89a748621f7fd037d1943  brakeman-lib-4.2.1.gem
d53f2275320dfe5609234e74ce3a73a7d8c44dfae824fb938a9bae2077a9aecf  brakeman-min-4.2.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.

If you find Brakeman valuable and want to support its development (and get more features!), check out Brakeman Pro.