Multiple vulnerabilities in RubyGems

There are multiple vulnerabilities in RubyGems bundled by Ruby. It is reported at the official blog of RubyGems.


The following vulnerabilities have been reported.

  • Prevent path traversal when writing to a symlinked basedir outside of the root.
  • Fix possible Unsafe Object Deserialization Vulnerability in gem owner.
  • Strictly interpret octal fields in tar headers.
  • Raise a security error when there are duplicate files in a package.
  • Enforce URL validation on spec homepage attribute.
  • Mitigate XSS vulnerability in homepage attribute when displayed via gem server.
  • Prevent Path Traversal issue during gem installation.

It is strongly recommended for Ruby users to take one of the following workarounds as soon as possible.

Affected Versions

  • Ruby 2.2 series: 2.2.9 and earlier
  • Ruby 2.3 series: 2.3.6 and earlier
  • Ruby 2.4 series: 2.4.3 and earlier
  • Ruby 2.5 series: 2.5.0 and earlier
  • prior to trunk revision 62422


RubyGems 2.7.6 or later includes the fix for the vulnerabilities, so upgrade RubyGems to the latest version.

gem update --system

If you can’t upgrade RubyGems, you can apply the following patches as a workaround.

About the trunk, update to the latest revision.


This report is based on the official blog of RubyGems.


  • Originally published at 2018-02-17 03:00:00 UTC