Sprockets has an information leak vulnerability. 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower are all affected. When the Sprockets server is used in production, specially constructed requests can be used to access files that exist on the filesystem outside of an application’s root directory. Users operating an affected release should upgrade or implement one of the workarounds as soon as possible.
It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails config.public_file_server.enabled = true
.