A critical path traversal vulnerability in Ruby on Rails is under active exploitation, allowing an unauthenticated attacker to access arbitrary files, potentially leading to a full system compromise.**

This vulnerability exists due to improper input validation when handling file paths. An unauthenticated remote attacker can craft a malicious request with directory traversal sequences (e.g., ../) to read arbitrary files on the underlying server, bypassing intended access restrictions.

With a CVSS score of 9.5 (Critical), a successful exploit could lead to the disclosure of sensitive information, including application source code, configuration files, and credentials. This exposure can be leveraged for further attacks, resulting in a complete system compromise, significant data breaches, and severe reputational damage. The inclusion of this CVE in the CISA KEV catalog confirms its high risk and real-world impact.

Immediate Action: Per CISA's Binding Operational Directive (BOD) 22-01, federal agencies must apply vendor-supplied mitigations by the deadline of July 27, 2025. All organizations are strongly advised to follow this guidance and apply patches or mitigations immediately.

Proactive Monitoring: Monitor web server and application logs for requests containing directory traversal patterns (e.g., ..%2f or ..\). Investigate any anomalous file access attempts by the web server's user account.

Compensating Controls: Deploy and configure a Web Application Firewall (WAF) with rulesets designed to detect and block directory traversal attacks. This can provide a layer of defense and act as a virtual patch if immediate updates are not feasible.

Public Exploit Available: Information not available from the provided data.

Given the critical severity and confirmed active exploitation, this vulnerability poses an immediate and severe threat to affected environments. The risk of sensitive data exposure and subsequent system compromise is extremely high. Administrators must prioritize the application of vendor-supplied mitigations immediately to prevent exploitation.