CVE-2026-44837 ViewComponent CVE debrief

Who should care

Organizations running Ruby on Rails applications with view_component versions 3.0.0-4.9.0, particularly those exposing system test functionality to untrusted users or in multi-tenant environments

Technical summary

The view_component gem's system test entrypoint accepts user-controlled file paths that are processed through `File.realpath` for canonicalization. The resulting path is then validated using a string prefix check against the temp directory path. This partial comparison is vulnerable to path traversal because sibling directories (e.g., `/tmp_target` vs `/tmp`) can satisfy the prefix check while pointing to entirely different locations. An attacker could potentially read arbitrary files accessible to the application process. The vulnerability affects versions 3.0.0 through 4.9.0 and is resolved in 4.9.0.

Defensive priority

medium

Recommended defensive actions

• Upgrade view_component to version 4.9.0 or later
• Review application code for any custom path validation logic that uses string prefix comparisons after path canonicalization
• Audit system test configurations for user-controlled file path inputs
• Consider implementing additional path traversal defenses such as chroot jails or strict allowlist-based path validation

Evidence notes

The CVE description confirms the vulnerable code path uses `File.realpath` followed by a string prefix comparison with the temp directory path. CWE-187 (Partial Comparison) is cited as the weakness type. The fix version 4.9.0 is explicitly stated. No known exploitation in the wild has been reported.

Official resources