Skip to content

OWASP/RailsGoat

Overview

I've modified the OWASP/RailsGoat web application a bit. It contains the RCE controller to run commands and see if we can detect them, for example http://localhost:3000/rce?cmd=ls%20-l or http://localhost:3000/rce_marshal?cmd=ls%20-l.

Also some Gems are pinned to older versions to demonstrate that we can exploit vulnerable code execution paths.

In addition, the app is instrumented with Pyroscope SDK for Ruby so you can see code execution paths as stack traces represented as flame graphs in Pyroscope UI.

Kubernetes

k apply -f https://raw.githubusercontent.com/danielpacak/vulnerable-kubernetes-deployments/refs/heads/main/examples/railsgoat/ruby341-rails710/all.yaml

k apply -f https://raw.githubusercontent.com/danielpacak/vulnerable-kubernetes-deployments/refs/heads/main/examples/railsgoat/ruby401-rails710/all.yaml

SBOM

syft scan docker.io/danielpacak/railsgoat:ruby-4.0.1-rails-7.1.0 -o json > railsgoat-ruby401-rails710.sbom.json

jq '.artifacts[]  | select(.type=="gem") | "\(.name) \(.version)"' railsgoat-ruby401-rails710.sbom.json

jq '.artifacts[] | select(.name=="actiontext")' railsgoat-ruby401-rails710.sbom.json

{
  "id": "d73207f494f67226",
  "name": "actiontext",
  "version": "7.1.0",
  "type": "gem",
  "foundBy": "ruby-installed-gemspec-cataloger",
  "locations": [
    {
      "path": "/usr/local/bundle/specifications/actiontext-7.1.0.gemspec",
      "layerID": "sha256:a892bf958e0f1ff549909c216fc9c2c0bf6917aa7977dd06565736bdba0a6e97",
      "accessPath": "/usr/local/bundle/specifications/actiontext-7.1.0.gemspec",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "language": "ruby",
  "purl": "pkg:gem/actiontext@7.1.0",
  "metadataType": "ruby-gemspec",
  "metadata": {
    "name": "actiontext",
    "version": "7.1.0",
    "authors": [
      "Javan Makhmali",
      "Sam Stephenson",
      "David Heinemeier Hansson"
    ],
    "homepage": "https://rubyonrails.org"
  }
}

Vulnerabilities

grype --by-cve docker.io/danielpacak/railsgoat:ruby-3.4.1-rails-7.1.0
NAME INSTALLED VULNERABILITY SEVERITY
actionpack 7.1.0 CVE-2024-26143 Medium
actionpack 7.1.0 CVE-2024-47887 Medium
actionpack 7.1.0 CVE-2024-54133 Low
actiontext 7.1.0 CVE-2024-47888 Medium
actiontext 7.1.0 CVE-2024-32464 Medium
net-imap 0.5.4 CVE-2025-25186 Medium
net-imap 0.5.4 CVE-2025-43857 Medium
actionmailer 7.1.0 CVE-2024-47889 Medium
activerecord 7.1.0 CVE-2025-55193 Medium
resolv 0.6.0 CVE-2025-24294 Medium
uri 1.0.2 CVE-2025-61594 Low
rexml 3.4.0 CVE-2025-58767 Low
activestorage 7.1.0 CVE-2025-24293 Critical 
grype --by-cve docker.io/danielpacak/railsgoat:ruby-4.0.1-rails-7.1.0
NAME INSTALLED VULNERABILITY SEVERITY
actionpack 7.1.0 CVE-2024-54133 Low
actionpack 7.1.0 CVE-2024-47887 Medium
actionpack 7.1.0 CVE-2024-28103 Medium
actionpack 7.1.0 CVE-2024-26142 Low
activerecord 7.1.0 CVE-2025-55193 Medium
activestorage 7.1.0 CVE-2025-24293 Critical
actionmailer 7.1.0 CVE-2024-47889 Medium
actiontext 7.1.0 CVE-2024-47888 Medium
actiontext 7.1.0 CVE-2024-32464 Medium

RailsGoat and Pyroscope in Docker

docker network create railsgoat

docker run --rm -d --name pyroscope --network=railsgoat -p 4040:4040 grafana/pyroscope:latest
docker run --rm -d --name railsgoat --network railsgoat \
  -e PYROSCOPE_URL=http://pyroscope:4040 \
  -p 3000:3000 \
  docker.io/danielpacak/railsgoat:ruby-4.0.1-rails-7.1.0 \
    /bin/sh -c "rails db:setup && rm -f tmp/pids/server.pid && bundle exec rails s -p 3000 -b '0.0.0.0'"

docker stop pyroscope railsgoat

Releases

List of Git branches with different versions of Ruby:

git clone git@github.com:danielpacak/railsgoat.git
cd railsgoat

List of container images published to DockerHub:

Further Reading