Critical CSRF Vulnerability Patched in Rails Application — Token Gap Exposed AJAX Endpoints to Request Forgery

A critical Cross-Site Request Forgery vulnerability has been patched in a Rails application after researchers identified that AJAX POST requests handling message creation were transmitting form data without CSRF authenticity tokens. The flaw, which stemmed from disabled global CSRF protections, could have allowed threat actors to forge state-changing requests on behalf of authenticated users.

The vulnerability affected the application's message creation functionality. Investigators found that `protect_from_forgery with: :exception` had been commented out in `app/controllers/application_controller.rb`, effectively disabling Rails' built-in CSRF defense across the entire application. Compounding the issue, `<%= csrf_meta_tags %>` had also been removed from `app/views/layouts/application.html.erb`, preventing the frontend from generating and including authentication tokens in AJAX requests. Without these tokens, browsers could not validate whether requests originated from legitimate application flows, opening a path for cross-site forgery attacks.

The fix involves two targeted changes. First, global CSRF protection was restored by uncommenting the `protect_from_forgery` directive in the application controller. Second, the CSRF meta tags were reinstated in the layout file, ensuring that JavaScript-driven form submissions now carry the required authenticity tokens. Security analysts noted that applications with disabled CSRF protections face elevated risk whenever authenticated sessions handle sensitive operations. The patch has been committed to the repository for review and merge.