sprockets gem version is susceptible to path traversal vulnerability RB-A1009
Security
Critical
cwe-22
sans top 25
owasp top 10
Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory when the Sprockets server is used in production. Upgrading to newer versions of the gem can help fix this issue.
Workaround:
In Rails applications, you can avoid this by setting config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.
Note: This workaround will not be possible in all hosting environments, and upgrading is strongly advised.
Affected Versions: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower.