Potential false positive: CVE-2024-54133 reported for actionpack 7.2.3

[bukreevdanil09-stack]

Question

Hi! Trivy reports CVE-2024-54133 for the Ruby gem actionpack version 7.2.3, although according to the official Rails security advisory and public CVE data, this version should not be affected.
The fix is in 7.2.2.1 and higher, so 7.2.3 should be considered patched.

Trivy version: 0.62.1
Scan command: trivy fs ./$SEC_CODE_FOLDER -f json -o $REPORT_FILE_NAME --scanners vuln --vuln-type library --skip-db-update --list-all-pkgs

Target

None

Scanner

Vulnerability

Output Format

JSON

Mode

None

Operating System

No response

Version

0.62.1

[DmitriyLewen]

Hello @bukreevdanil09-stack
Can you share more details on how we can reproduce this case?

Even with an older Trivy version (v0.62.1), I’m not able to reproduce it:

➜ cat Gemfile.lock                                                     
GEM
  remote: https://rubygems.org/
  specs:
    actionpack (7.2.3)

PLATFORMS
  x86_64-linux

DEPENDENCIES
  actionpack (= 7.2.3)

BUNDLED WITH
   2.5.11

➜ docker run -it --rm -v ./Gemfile.lock:/test/Gemfile.lock aquasec/trivy:0.62.1 -q fs /test -f json --list-all-pkgs
{
  "SchemaVersion": 2,
  "CreatedAt": "2025-12-04T07:16:13.157828048Z",
  "ArtifactName": "/test",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "Gemfile.lock",
      "Class": "lang-pkgs",
      "Type": "bundler",
      "Packages": [
        {
          "ID": "[email protected]",
          "Name": "actionpack",
          "Identifier": {
            "PURL": "pkg:gem/[email protected]",
            "UID": "fe1f4b81ba9ff8f3"
          },
          "Version": "7.2.3",
          "Relationship": "direct",
          "Layer": {},
          "Locations": [
            {
              "StartLine": 4,
              "EndLine": 4
            }
          ]
        }
      ]
    }
  ]
}

Regards, Dmitriy

[bukreevdanil09-stack]

Dmitriy, thank you for fast reply.
I'm attaching the report and .txt with gemfile.lock (I can't attach the .lock immediately due to restrictions on attachment extensions)
Starting the scan was the command from the description above
Hope, this info will be usefull:)
report_trivy_demo.json
gemlock_example.txt

[DmitriyLewen]

Hello @bukreevdanil09-stack
This is very strange.

I can't reproduce your case with your Gemfile.lock...

➜  user cat Gemfile.lock 
PATH
  remote: .
  specs:
    space-core (1.1.0)
      apollo-federation (~> 3.10)
      async-http-faraday (~> 0.21)
      async-pool (~> 0.3)

GEM
  remote: https://redacted.example.com/repository/ruby-platform-group/
  specs:
    space-rubocop (1.0.0)
      rubocop (~> 1.36)
      rubocop-factory_bot (~> 2.27)
      rubocop-graphql (~> 1.5)
      rubocop-performance (~> 1.14)
      rubocop-rails (~> 2.14)


GEM
  remote: https://redacted.example.com/repository/rubygems.org/
  specs:
    actioncable (7.2.3)
      actionpack (= 7.2.3)
      activesupport (= 7.2.3)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
      zeitwerk (~> 2.6)
    actionmailbox (7.2.3)
      actionpack (= 7.2.3)
      activejob (= 7.2.3)
      activerecord (= 7.2.3)
      activestorage (= 7.2.3)
      activesupport (= 7.2.3)
      mail (>= 2.8.0)
    actionmailer (7.2.3)
      actionpack (= 7.2.3)
      actionview (= 7.2.3)
      activejob (= 7.2.3)
      activesupport (= 7.2.3)
      mail (>= 2.8.0)
      rails-dom-testing (~> 2.2)
    actionpack (7.2.3)
      actionview (= 7.2.3)
      activesupport (= 7.2.3)
      cgi
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4, < 3.3)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
      useragent (~> 0.16)
    actiontext (7.2.3)
      actionpack (= 7.2.3)
      activerecord (= 7.2.3)
      activestorage (= 7.2.3)
      activesupport (= 7.2.3)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
    activerecord (7.2.3)
      activemodel (= 7.2.3)
      activesupport (= 7.2.3)
      timeout (>= 0.4.0)
    activestorage (7.2.3)
      actionpack (= 7.2.3)
      activejob (= 7.2.3)
      activerecord (= 7.2.3)
      activesupport (= 7.2.3)
      marcel (~> 1.0)
    activesupport (7.2.3)
      base64
      benchmark (>= 0.3)
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.3.1)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      logger (>= 1.4.2)
      minitest (>= 5.1)
      securerandom (>= 0.3)
      tzinfo (~> 2.0, >= 2.0.5)
    railties (7.2.3)
      actionpack (= 7.2.3)
      activesupport (= 7.2.3)
      cgi
      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
      thor (~> 1.0, >= 1.2.2)
    rspec-rails (7.1.1)
      actionpack (>= 7.0)
      activesupport (>= 7.0)
      railties (>= 7.0)
      rspec-core (~> 3.13)
      rspec-expectations (~> 3.13)
      rspec-mocks (~> 3.13)
      rspec-support (~> 3.13)
    rspec-support (3.13.6)

PLATFORMS
  aarch64-linux
  aarch64-linux-gnu
  aarch64-linux-musl
  arm-linux-gnu
  arm-linux-musl
  arm64-darwin
  x86_64-darwin
  x86_64-linux
  x86_64-linux-gnu
  x86_64-linux-musl

DEPENDENCIES
  brakeman (~> 6)
  bundler (~> 2.6)
  bundler-audit (~> 0.9)
  dotenv (~> 3.1)
  factory_bot (~> 6.2)
  lefthook (~> 1.5)

BUNDLED WITH
   2.6.5
➜ trivy -q fs Gemfile.lock -f json | jq '.Results[].Vulnerabilities'
null
➜ trivy62 -q fs Gemfile.lock -f json | jq '.Results[].Vulnerabilities'
null

Do you use the latest trivy-db?
And what version of Trivy do you use? (Can you send me the "trivy version" output?)

[bukreevdanil09-stack]

trivy version command output:

$ trivy version
Version: 0.62.1
Vulnerability DB:
Version: 2
UpdatedAt: 2025-07-13 18:26:17.452245321 +0000 UTC
NextUpdate: 2025-07-14 18:26:17.452245191 +0000 UTC
DownloadedAt: 2025-07-13 21:05:07.835157966 +0000 UTC

DB was updated in july, but this CVE from 2024

[DmitriyLewen]

The Ruby repo updated this CVE two months ago — https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml

The patched version was specified as ~> 7.2.2.1.
Version 7.2.3 is not included in this range.
That is why Trivy reported this vulnerability.

DB was updated in july

Please make sure to keep your trivy-db up to date.
Otherwise, there is a chance that you may not receive updated data (as in this case) or new advisories.

[bukreevdanil09-stack]

yep, problem was on our side, sorry that disturbed you for no reason
with new DB there is no new vulns in actionpack

Thanks a lot for the answers:)