CVE-2022-32224 Activerecord Project CVE debrief

Who should care

Teams running Ruby applications that use Active Record YAML serialized columns should treat this as urgent, especially where an attacker could write or modify database content through SQL injection or another data-write path.

Technical summary

The vulnerability is described as a possible escalation to RCE when Active Record uses YAML serialized columns. The provided corpus maps the weakness to CWE-502 and indicates vulnerable version ranges for Active Record 5.2, 6.0, 6.1, and 7.0 lines up to the stated fixed releases. The CVSS vector in NVD is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact if the attacker can reach the affected data path.

Defensive priority

Critical. Prioritize if the application stores YAML-serialized data in Active Record and any attacker-controlled or indirectly controlled database write path exists.

Recommended defensive actions

• Upgrade Active Record to a fixed release at or above 7.0.3.1, 6.1.6.1, 6.0.5.1, or 5.2.8.1, depending on the branch in use.
• Inventory uses of YAML serialization in Active Record models and reduce or remove YAML-serialized columns where feasible.
• Review whether any SQL injection, admin console access, import pipeline, or other database-write path could let an attacker influence serialized content.
• Treat the issue as especially urgent in applications that deserialize database-stored YAML into application objects.
• Validate remediation with dependency checks and regression testing around any model attributes that previously used YAML serialization.

Evidence notes

This debrief is based on the supplied NVD record and linked references. NVD lists the vulnerability as published on 2022-12-05T22:15:10.397Z and modified on 2026-05-11T18:16:29.250Z. The corpus includes the Rails security mailing list reference and a GitHub Advisory reference for patch guidance. No KEV entry was provided.

Official resources