What happened

CISA added CVE-2019-5418 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-07-07 with a remediation due date of 2025-07-28, signaling confirmed exploitation and urgency for patching CISA KEV. The KEV entry identifies “Rails Ruby on Rails” with a path traversal weakness in Action View that attackers are using in the wild CISA KEV. Per the vulnerability record, specially crafted HTTP Accept headers in combination with application code paths that call render file: can cause arbitrary files on the target server to be rendered and disclosed NVD: CVE-2019-5418. MITRE and NVD categorize this as CWE-22 (Path Traversal), consistent with file system access outside intended directories MITRE: CVE-2019-5418.

Why it matters

This bug enables file content disclosure from the host, elevating risk by exposing configuration, credentials, or internal logic that can accelerate compromise NVD: CVE-2019-5418. The trigger surface is the HTTP Accept header, which is trivial for an attacker to manipulate with any HTTP client and difficult to sanitize centrally once an affected code path exists NVD: CVE-2019-5418. Inclusion in CISA’s KEV means this is not theoretical—federal agencies and any organization following KEV policy are expected to remediate on an accelerated timeline due to observed exploitation CISA KEV. Rails is the explicitly affected product, and the flaw resides in Action View’s handling when paired with render file:, which is prevalent in legacy code and custom views MITRE: CVE-2019-5418.

Technical detail

CVE-2019-5418 is a path traversal in Rails’ Action View that manifests when a controller or view renders a file from disk using render file: while the request supplies a crafted Accept header NVD: CVE-2019-5418. The issue allows an attacker to influence template resolution such that Rails renders a file path chosen by the attacker, leading to disclosure of arbitrary server files MITRE: CVE-2019-5418. NVD and CISA both describe the condition as path traversal (CWE-22), reflecting unintended access outside the intended template directories NVD: CWE-22 on CVE-2019-5418.

Critically, the exploit vector abuses the HTTP Accept header rather than URL paths or body parameters, meaning a request that looks otherwise benign can still trigger the vulnerable code path if the application invokes render file: on a route reachable by the attacker NVD: CVE-2019-5418. Because the flaw results in file rendering, the immediate impact is loss of confidentiality via exposure of file contents, which can cascade into secondary compromise depending on what files are accessible to the application process MITRE: CVE-2019-5418. CISA’s designation in KEV indicates confirmed exploitation, which often aligns with automated probing campaigns that vary headers to discover exploitable endpoints at scale CISA KEV.

Operationally, exploitation requires two preconditions: a reachable endpoint that performs render file: and an attacker-controlled Accept header supplying the crafted value that triggers path traversal in the template resolution logic NVD: CVE-2019-5418. Where both conditions are present, arbitrary files may be returned in HTTP responses, enabling off-host exfiltration of sensitive data via normal web traffic patterns MITRE: CVE-2019-5418.

Defense

• Patch/upgrade: CISA instructs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable, aligning with KEV remediation policy and timelines for actively exploited flaws CISA KEV.
• Validate exposure: Inventory Rails services and prioritize any internet-facing endpoints that might invoke render file: during request handling, as these are in-scope for this specific exploit vector NVD: CVE-2019-5418.
• Code hardening: Audit controllers and views to eliminate or constrain render file: usage on routes influenced by untrusted input, reducing the attack surface that enables the traversal condition MITRE: CVE-2019-5418.
• Compensating controls: Until patched, deploy WAF/proxy rules to scrutinize Accept header values for anomalous patterns and block/alert where unusual content negotiation values are presented to endpoints that render files NVD: header-based trigger.
• Response readiness: Treat any indicators of file disclosure via HTTP responses as potential exploitation of this CVE and initiate containment, given the confidentiality impact articulated in the vulnerability record NVD: impact details.

For agencies under Binding Operational Directive processes, this KEV inclusion sets a clear remediation imperative; align patch windows and verification with the KEV due date while maintaining compensating monitoring until validation is complete CISA KEV.

Lyrie Verdict

Header-driven file disclosure bugs like CVE-2019-5418 are tailor-made for autonomous adversaries because they require only Accept header manipulation against routes that hit render file: NVD: CVE-2019-5418. Human-in-the-loop review is too slow for header-spray reconnaissance; defenders need in-band, machine-speed inspection that correlates Accept anomalies with file-render responses to cut off exfil in real time CISA KEV. Lyrie prioritizes KEV-designated exposures and auto-enforces detection on Rails endpoints exhibiting this pattern, focusing on the request header vector and the file-rendering behavior described in the CVE record to stop rogue-AI probing before data bleeds MITRE: CVE-2019-5418.