Lucene search
+L
RubygemsMost viewed

1255 matches found

RubySec
RubySec
added 2026/04/02 12:0 a.m.10 views

Rack:: Static header_rules bypass via URL-encoded paths

Summary Rack::Staticapplicablerules evaluates several headerrules types against the raw URL-encoded PATHINFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers...

5.3CVSS5.8AI score0.00195EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/03/23 12:0 a.m.10 views

Rails Active Storage has possible glob injection in its DiskService

Impact Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage director...

9.1CVSS5.7AI score0.00646EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/03/19 12:0 a.m.10 views

bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby

Impact An integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby BCrypt.java computes the key-strengthening round count as a...

7.5CVSS5.8AI score0.00228EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/02/17 12:0 a.m.10 views

Rack has a Directory Traversal via Rack:Directory

Summary Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Details In directory.rb,...

7.5CVSS5.5AI score0.00665EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/02/09 12:0 a.m.10 views

Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs e.g. //evil.com/path are treated as network-path references that override the base URL's host/authority...

5.8CVSS5.5AI score0.00351EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/02/05 12:0 a.m.10 views

Unauthenticated Spree Commerce users can access all guest addresses

Summary A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information PII includi...

8.7CVSS5.9AI score0.00599EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2025/11/06 12:0 a.m.10 views

MQTT does not validate hostnames

A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle MITM attack...

7.4CVSS6.6AI score0.00343EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/11/06 12:0 a.m.10 views

Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact The prosemirrortohtml gem is vulnerable to Cross-Site Scripting XSS attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Who is impacted: - Any application using...

7.6CVSS6.5AI score0.00216EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/10/10 12:0 a.m.10 views

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

Summary Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.readnil without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of...

7.5CVSS6.5AI score0.00605EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/10/07 12:0 a.m.10 views

CVE-2025-61594 - URI Credential Leakage Bypass over CVE-2025-27221

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. This vulnerability has been assigned the CVE identifier CVE-2025-61594. We recommend upgrading the uri gem. Details When using the + operator to combine URIs, sensitive information like...

7.5CVSS7.1AI score0.0051EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/09/25 12:0 a.m.10 views

Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Summary Rack::QueryParser in version 2.2.18 enforces its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Details The issue arises...

7.5CVSS6.8AI score0.00535EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/08/20 12:0 a.m.10 views

Spree Commerce is vulnerable to RCE through Search API

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the searchinstanceeval parameter, which is dynamically invoked using Ruby’s send method. Thi...

9.8CVSS7.5AI score0.02464EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2025/08/13 12:0 a.m.10 views

Active Record logging vulnerable to ANSI escape injection

This vulnerability has been assigned the CVE identifier CVE-2025-55193 Impact The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal, it may include unescaped ANSI sequences. Releases The fixed releases are available at the normal locations...

6.9CVSS7.2AI score0.00565EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/06/13 12:0 a.m.10 views

OpenC3 COSMOS Vulnerable to Directory Traversal via openc3-api/tables endpoint

An issue in the openc3-api/tables endpoint of OpenC3 COSMOS 6.0.0 allows attackers to execute a directory traversal...

7.5CVSS7.3AI score0.00856EPSS
Exploits1References1
RubySec
RubySec
added 2025/05/08 12:0 a.m.10 views

Rack session gets restored after deletion

Summary When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Details Rack session middleware prepares the session at the beginning of request, then saves is back to the store wit...

4.2CVSS6.7AI score0.00282EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2023/04/04 12:0 a.m.10 views

Fluent Fluentd and Fluent-ui use default password

An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 that allows attackers to gain escilated privileges and execute arbitrary code due to use of a default password...

8.8CVSS9AI score0.00786EPSS
Exploits1References1
RubySec
RubySec
added 2022/05/19 12:0 a.m.10 views

Insecure PRNG use in random_password_generator

The randompasswordgenerator aka RandomPasswordGenerator gem through 1.0.0 for Ruby uses Kernelrand to generate passwords, which, due to its cyclic nature, can facilitate password prediction...

7.5CVSS2.1AI score0.0182EPSS
Exploits1References1
RubySec
RubySec
added 2017/10/24 12:0 a.m.10 views

WEBrick Improper Input Validation vulnerability

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrar...

7.5CVSS7.8AI score0.15684EPSS
Exploits2References1Affected Software1
RubySec
RubySec
added 2013/02/21 12:0 a.m.10 views

Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution

Spree contains a flaw that is triggered when handling input passed via the 'promotionrule' parameter to promotionrulescontroller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands...

5.1AI score0.01531EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.9 views

DFVULN-839 - Use-After-Free in MessagePack::Buffer#clear Enables Cross-Buffer Disclosure

Summary MessagePack::Bufferclear shifts out every chunk and returns its 4 KiB rmem page to the shared pool, but does not reset the buffer's rmem cursor rmemlast, rmemend, rmemowner. The next write sees "unused rmem space" left over from the freed page and hands back a slice of memory that has...

5.9AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/04/08 12:0 a.m.9 views

Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

'Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted...

9.8CVSS5.8AI score0.0027EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/04/02 12:0 a.m.9 views

Rack::Static prefix matching can expose unintended files under the static root

Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...

7.5CVSS5.8AI score0.00387EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/03/16 12:0 a.m.9 views

Confirmable "change email" race condition permits user to confirm email they have no access to

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

6CVSS5.8AI score0.00275EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/02/05 12:0 a.m.9 views

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Unauthenticated users can view completed guest orders by Order ID GHSL-2026-029 The OrdersControllershow action permits viewing completed guest orders by order number alone, without requiring the associated order token. Order lookup without enforcing token requirement in OrdersControllershow: rub...

8.7CVSS5.5AI score0.00441EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/02/02 12:0 a.m.9 views

foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set

A flaw was found in foremankubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority CA certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and...

8.1CVSS5.3AI score0.00274EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/02/02 12:0 a.m.9 views

fog-kubevirt allows remote attacker to perform MITM attack due to disabled certificate validation

A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle MITM attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in...

8.1CVSS5.2AI score0.00254EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/01/21 12:0 a.m.9 views

AlchemyCMS - Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

Summary A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Details The...

9.9CVSS6.2AI score0.00426EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/01/08 12:0 a.m.9 views

Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...

6.5CVSS6.1AI score0.00371EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2025/12/16 12:0 a.m.9 views

ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay

Impact A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modifi...

6.5CVSS6.6AI score0.00272EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/10/10 12:0 a.m.9 views

Sinatra is vulnerable to ReDoS through ETag header value generation

Summary There is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response and you are using Ruby = 3.2...

7.5CVSS6.5AI score0.00458EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2025/10/10 12:0 a.m.9 views

Rack has a Possible Information Disclosure Vulnerability

Summary A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers such as Nginx. Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially...

5.8CVSS6.1AI score0.00434EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/10/07 12:0 a.m.9 views

Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

Summary Rack::Multipart::Parser buffers the entire multipart preamble bytes before the first boundary in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory OOM...

7.5CVSS7.2AI score0.00868EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/09/17 12:0 a.m.9 views

REXML has DoS condition when parsing malformed XML file

Impact The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches REXML gems 3.4.2 or later include the patches to fix these vulnerabilities...

5.3CVSS7.1AI score0.00231EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2025/07/08 12:0 a.m.9 views

Possible Denial of Service in resolv gem

A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby. The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name...

7.5CVSS6.3AI score0.00539EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2023/04/03 9:0 p.m.9 views

Fluent Fluentd and Fluent-ui use default password

An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 that allows attackers to gain escilated privileges and execute arbitrary code due to use of a default password...

8.8CVSS9AI score0.00786EPSS
Exploits1References1
RubySec
RubySec
added 2022/01/06 12:0 a.m.9 views

Regular Expression Denial of Service (ReDoS) in lodash

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service ReDoS via the toNumber, trim and trimEnd functions. Steps to reproduce provided by reporter Liyuan Chen: var lo = require'lodash'; function buildblankn var ret = "1" for var i = 0; i n; i++ ret ...

5.3CVSS7AI score0.07336EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2021/08/01 12:0 a.m.9 views

imap - StartTLS stripping attack

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between th...

7.4CVSS7AI score0.02909EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2019/11/26 12:0 a.m.9 views

Private Ruby OpenSSL RSA key generation is always "1"

The OpenSSL extension of Ruby Git trunk versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation...

9.8CVSS6.9AI score0.02529EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Oj - Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent

Summary Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the...

2.1CVSS6.1AI score0.00119EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle

Summary Disabling symbolkeys on a reused Oj::Parser instance triggers a heap use-after-free. When symbolkeys is toggled from true to false, optsymbolkeysset frees the internal key cache cachefree but does not clear the pointer. The next parse call reads from the freed cache via cacheintern,...

6.3CVSS5.8AI score0.00428EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Oj - intern.c form_attr (uninitialized stack read)

Summary Oj.load in :object mode reads uninitialized stack memory and, for long keys, reads out of bounds when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. Impact Information disclosure of process stack memor...

5.3CVSS5.9AI score0.00197EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Oj - Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input

Summary Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. Impact Reliable denial of service: any endpoint that calls Oj::Doc.openuntrusted |d|...

7.5CVSS6AI score0.00263EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Concurrent Ruby - ReadWriteLock allows wrong-thread write release and stray read-release counter corruption

Summary Concurrent::ReadWriteLockreleasewritelock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still...

9.8CVSS5.9AI score0.0016EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/17 12:0 a.m.8 views

Avo - Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation

Summary A critical missing authorization flaw exists in Avo's association attach workflow. The UI and GET /resources/:resource/:id/:related/new path can check attach?, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating...

9.6CVSS6AI score0.00331EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/01 12:0 a.m.8 views

SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`

Summary CssParser::Parserreadremotefile and therefore loaduri!, and the @import-following branch of addblock! issues HTTP/HTTPS requests against any host, port and URI it is handed, with no scheme allowlist, no host / IP filtering, and no protection against link-local, loopback or RFC‑1918...

8.9CVSS5.9AI score0.00489EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/04/09 12:0 a.m.8 views

bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)

Unverified certifier signatures persisted by acquirecertificate Affected packages Both bsv-sdk and bsv-wallet are published from the sgbett/bsv-ruby-sdk repository. The vulnerable code lives in lib/bsv/walletinterface/walletclient.rb, which is physically shipped inside both gems the...

8.1CVSS6AI score0.00135EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/04/09 12:0 a.m.8 views

bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)

Unverified certifier signatures persisted by acquirecertificate Affected packages Both bsv-sdk and bsv-wallet are published from the sgbett/bsv-ruby-sdk repository. The vulnerable code lives in lib/bsv/walletinterface/walletclient.rb, which is physically shipped inside both gems the...

8.1CVSS6.1AI score0.00135EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/03/27 12:0 a.m.8 views

Ruby LSP has arbitrary code execution through branch setting

Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...

9.8CVSS6.1AI score0.00479EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/03/27 12:0 a.m.8 views

MCP Ruby SDK - Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

Summary The Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events SSE stream and intercept all real-time data. Details Root Cause The StreamableHTTPTransport...

8.2CVSS5.8AI score0.00465EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/03/20 12:0 a.m.8 views

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...

9.1CVSS6AI score0.00632EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities1255