Here you will find information about security issues of Ruby.

Reporting Security Vulnerabilities

Security vulnerabilities in the Ruby programming language should be reported through our bounty program page at HackerOne. Please ensure you read the specific details around the scope of our program before reporting an issue. Any valid reported problems will be published after fixes.

If you have found an issue affecting one of our websites, please report it via GitHub or you can check our Google Groups for security announcements.

If you have found an issue that affects a specific Ruby community’s gem, follow the instructions on RubyGems.org.

To get in touch with the security team directly outside of HackerOne, you can send email to security@ruby-lang.org (the PGP public key), which is a private mailing list.

The members of the mailing list are people who provide Ruby (Ruby committers and authors of other Ruby implementations, distributors, PaaS platformers). The members must be individual people, mailing lists are not permitted.

Known issues

Here are recent issues:

• CVE-2025-24294: Possible Denial of Service in resolv gem
  2025年07月08日
• CVE-2025-43857: DoS vulnerability in net-imap
  2025年04月28日
• Security advisories: CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221
  2025年02月26日
• CVE-2025-25186: DoS vulnerability in net-imap
  2025年02月10日
• CVE-2024-49761: ReDoS vulnerability in REXML
  2024年10月28日
• CVE-2024-43398: DoS vulnerability in REXML
  2024年08月22日
• CVE-2024-41946: DoS vulnerability in REXML
  2024年08月01日
• CVE-2024-41123: DoS vulnerabilities in REXML
  2024年08月01日
• CVE-2024-39908: DoS vulnerability in REXML
  2024年07月16日
• CVE-2024-35176: DoS vulnerability in REXML
  2024年05月16日
• CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
  2024年04月23日
• CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
  2024年03月21日
• CVE-2024-27280: Buffer overread vulnerability in StringIO
  2024年03月21日
• CVE-2023-36617: ReDoS vulnerability in URI
  2023年06月29日
• CVE-2023-28756: ReDoS vulnerability in Time
  2023年03月30日
• CVE-2023-28755: ReDoS vulnerability in URI
  2023年03月28日
• CVE-2021-33621: HTTP response splitting in CGI
  2022年11月22日
• CVE-2022-28738: Double free in Regexp compilation
  2022年04月12日
• CVE-2022-28739: Buffer overrun in String-to-Float conversion
  2022年04月12日
• CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
  2021年11月24日
• CVE-2021-41816: Buffer Overrun in CGI.escape_html
  2021年11月24日
• CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
  2021年11月15日
• CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
  2021年07月07日
• CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
  2021年07月07日
• CVE-2021-31799: A command injection vulnerability in RDoc
  2021年05月02日
• CVE-2021-28965: XML round-trip vulnerability in REXML
  2021年04月05日
• CVE-2021-28966: Path traversal in Tempfile on Windows
  2021年04月05日
• CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
  2020年09月29日
• CVE-2020-10933: Heap exposure vulnerability in the socket library
  2020年03月31日
• CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)
  2020年03月19日
• CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
  2019年10月01日
• CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
  2019年10月01日
• CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
  2019年10月01日
• CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
  2019年10月01日
• Multiple jQuery vulnerabilities in RDoc
  2019年08月28日
• Multiple vulnerabilities in RubyGems
  2019年03月05日
• CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
  2018年10月17日
• CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives
  2018年10月17日
• CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
  2018年03月28日
• CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
  2018年03月28日
• CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
  2018年03月28日
• CVE-2018-8777: DoS by large request in WEBrick
  2018年03月28日
• CVE-2017-17742: HTTP response splitting in WEBrick
  2018年03月28日
• CVE-2018-8778: Buffer under-read in String#unpack
  2018年03月28日
• Multiple vulnerabilities in RubyGems
  2018年02月17日
• CVE-2017-17405: Command injection vulnerability in Net::FTP
  2017年12月14日
• CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
  2017年09月14日
• CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
  2017年09月14日
• CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
  2017年09月14日
• CVE-2017-14064: Heap exposure vulnerability in generating JSON
  2017年09月14日
• Multiple vulnerabilities in RubyGems
  2017年08月29日
• CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
  2015年12月16日
• CVE-2015-1855: Ruby OpenSSL Hostname Verification
  2015年04月13日
• CVE-2014-8090: Another Denial of Service XML Expansion
  2014年11月13日
• CVE-2014-8080: Denial of Service XML Expansion
  2014年10月27日
• Changed default settings of ext/openssl
  2014年10月27日
• Dispute of Vulnerability CVE-2014-2734
  2014年05月09日
• OpenSSL Severe Vulnerability in TLS Heartbeat Extension (CVE-2014-0160)
  2014年04月10日
• Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
  2014年03月29日
• Heap Overflow in Floating Point Parsing (CVE-2013-4164)
  2013年11月22日
• Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)
  2013年06月27日
• Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)
  2013年05月14日

More known issues:

• Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821) published at 22 Feb, 2013.
• Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) published at 22 Feb, 2013.
• XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) published at 6 Feb, 2013.
• Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) published at 10 Nov, 2012.
• Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) published at 12 Oct, 2012.
• $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) published at 12 Oct, 2012.
• Security Fix for RubyGems: SSL server verification failure for remote repository published at 20 Apr, 2012.
• Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack published at 16 Feb, 2012.
• Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815) published at 28 Dec, 2011.
• Exception methods can bypass $SAFE published at 18 Feb, 2011.
• FileUtils is vulnerable to symlink race attacks published at 18 Feb, 2011.
• XSS in WEBrick (CVE-2010-0541) published at 16 Aug, 2010.
• Buffer over-run in ARGF.inplace_mode= published at 2 Jul, 2010.
• WEBrick has an Escape Sequence Injection vulnerability published at 10 Jan, 2010.
• Heap overflow in String (CVE-2009-4124) published at 7 Dec, 2009.
• DoS vulnerability in BigDecimal published at 9 Jun, 2009.
• DoS vulnerability in REXML published at 23 Aug, 2008.
• Multiple vulnerabilities in Ruby published at 8 Aug, 2008.
• Arbitrary code execution vulnerabilities published at 20 Jun, 2008.
• File access vulnerability of WEBrick published at 3 Mar, 2008.
• Net::HTTPS Vulnerability published at 4 Oct, 2007.
• Another DoS Vulnerability in CGI Library published at 4 Dec, 2006.
• DoS Vulnerability in CGI Library (CVE-2006-5467) published at 3 Nov, 2006.
• Ruby vulnerability in the safe level settings published at 2 Oct, 2005.

Syndicate

Recent News (RSS)