There is a possible open redirect when using the redirect_to helper with untrusted user input.
Vulnerable code will look like this:
Rails 7.0 introduced protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.
Created rubygem-actionpack tracking bugs for this issue:
Affects: fedora-all [bug 2164802]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):