grape 0.1.1

1 security vulnerability found in version 0.1.1

ruby-grape Gem has XSS via "format" parameter

medium severity CVE-2018-3769
medium severity CVE-2018-3769
Patched versions: >= 1.1.0

When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.

Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

1 memory leak found in version 0.1.1

Memory leak in formatter middleware

301
Patched versions: >= 0.10
Leaky versions: < 0.2.5

The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.