bibtex-ruby is vulnerable to OS command injection. During opening and parsing of the .bib
file at a given path, unescaped user data is passed to an unsafe built-in Kernel.open
method through BibTeX.open
, allowing the execution of arbitrary OS commands.