Here you will find information about security issues of Ruby.
Reporting Security Vulnerabilities
Security vulnerabilities in the Ruby programming language should be reported through our bounty program page at HackerOne. Please ensure you read the specific details around the scope of our program before reporting an issue. Any valid reported problems will be published after fixes.
If you have found an issue affecting one of our websites, please report it via GitHub or you can check our Google Groups for security announcements.
If you have found an issue that affects a specific Ruby community’s gem, follow the instructions on RubyGems.org.
To get in touch with the security team directly outside of HackerOne, you can send email to security@ruby-lang.org (the PGP public key), which is a private mailing list.
The members of the mailing list are people who provide Ruby (Ruby committers and authors of other Ruby implementations, distributors, PaaS platformers). The members must be individual people, mailing lists are not permitted.
Known issues
Here are recent issues:
- CVE-2024-49761: ReDoS vulnerability in REXML
2024-10-28 - CVE-2024-43398: DoS vulnerability in REXML
2024-08-22 - CVE-2024-41946: DoS vulnerability in REXML
2024-08-01 - CVE-2024-41123: DoS vulnerabilities in REXML
2024-08-01 - CVE-2024-39908: DoS vulnerability in REXML
2024-07-16 - CVE-2024-35176: DoS vulnerability in REXML
2024-05-16 - CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
2024-04-23 - CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
2024-03-21 - CVE-2024-27280: Buffer overread vulnerability in StringIO
2024-03-21 - CVE-2023-36617: ReDoS vulnerability in URI
2023-06-29 - CVE-2023-28756: ReDoS vulnerability in Time
2023-03-30 - CVE-2023-28755: ReDoS vulnerability in URI
2023-03-28 - CVE-2021-33621: HTTP response splitting in CGI
2022-11-22 - CVE-2022-28738: Double free in Regexp compilation
2022-04-12 - CVE-2022-28739: Buffer overrun in String-to-Float conversion
2022-04-12 - CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
2021-11-24 - CVE-2021-41816: Buffer Overrun in CGI.escape_html
2021-11-24 - CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
2021-11-15 - CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
2021-07-07 - CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
2021-07-07 - CVE-2021-31799: A command injection vulnerability in RDoc
2021-05-02 - CVE-2021-28965: XML round-trip vulnerability in REXML
2021-04-05 - CVE-2021-28966: Path traversal in Tempfile on Windows
2021-04-05 - CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
2020-09-29 - CVE-2020-10933: Heap exposure vulnerability in the socket library
2020-03-31 - CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)
2020-03-19 - CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
2019-10-01 - CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
2019-10-01 - CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
2019-10-01 - CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
2019-10-01 - Multiple jQuery vulnerabilities in RDoc
2019-08-28 - Multiple vulnerabilities in RubyGems
2019-03-05 - CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
2018-10-17 - CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives
2018-10-17 - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
2018-03-28 - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
2018-03-28 - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
2018-03-28 - CVE-2018-8777: DoS by large request in WEBrick
2018-03-28 - CVE-2017-17742: HTTP response splitting in WEBrick
2018-03-28 - CVE-2018-8778: Buffer under-read in String#unpack
2018-03-28 - Multiple vulnerabilities in RubyGems
2018-02-17 - CVE-2017-17405: Command injection vulnerability in Net::FTP
2017-12-14 - CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
2017-09-14 - CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
2017-09-14 - CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
2017-09-14 - CVE-2017-14064: Heap exposure vulnerability in generating JSON
2017-09-14 - Multiple vulnerabilities in RubyGems
2017-08-29 - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
2015-12-16 - CVE-2015-1855: Ruby OpenSSL Hostname Verification
2015-04-13 - CVE-2014-8090: Another Denial of Service XML Expansion
2014-11-13 - CVE-2014-8080: Denial of Service XML Expansion
2014-10-27 - Changed default settings of ext/openssl
2014-10-27 - Dispute of Vulnerability CVE-2014-2734
2014-05-09 - OpenSSL Severe Vulnerability in TLS Heartbeat Extension (CVE-2014-0160)
2014-04-10 - Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
2014-03-29 - Heap Overflow in Floating Point Parsing (CVE-2013-4164)
2013-11-22 - Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)
2013-06-27 - Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)
2013-05-14
More known issues:
- Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821) published at 22 Feb, 2013.
- Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) published at 22 Feb, 2013.
- XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) published at 6 Feb, 2013.
- Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) published at 10 Nov, 2012.
- Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) published at 12 Oct, 2012.
- $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) published at 12 Oct, 2012.
- Security Fix for RubyGems: SSL server verification failure for remote repository published at 20 Apr, 2012.
- Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack published at 16 Feb, 2012.
- Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815) published at 28 Dec, 2011.
- Exception methods can bypass $SAFE published at 18 Feb, 2011.
- FileUtils is vulnerable to symlink race attacks published at 18 Feb, 2011.
- XSS in WEBrick (CVE-2010-0541) published at 16 Aug, 2010.
- Buffer over-run in ARGF.inplace_mode= published at 2 Jul, 2010.
- WEBrick has an Escape Sequence Injection vulnerability published at 10 Jan, 2010.
- Heap overflow in String (CVE-2009-4124) published at 7 Dec, 2009.
- DoS vulnerability in BigDecimal published at 9 Jun, 2009.
- DoS vulnerability in REXML published at 23 Aug, 2008.
- Multiple vulnerabilities in Ruby published at 8 Aug, 2008.
- Arbitrary code execution vulnerabilities published at 20 Jun, 2008.
- File access vulnerability of WEBrick published at 3 Mar, 2008.
- Net::HTTPS Vulnerability published at 4 Oct, 2007.
- Another DoS Vulnerability in CGI Library published at 4 Dec, 2006.
- DoS Vulnerability in CGI Library (CVE-2006-5467) published at 3 Nov, 2006.
- Ruby vulnerability in the safe level settings published at 2 Oct, 2005.