Here you will find information about security issues of Ruby.
Reporting Security Vulnerabilities
Security vulnerabilities should be reported via an email to security@ruby-lang.org (the PGP public key), which is a private mailing list. Reported problems will be published after fixes.
Known issues
Here are recent issues.
- Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065) published at 14 May, 2013.
- Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821) published at 22 Feb, 2013.
- Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) published at 22 Feb, 2013.
- XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) published at 6 Feb, 2013.
- Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) published at 10 Nov, 2012.
- Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) published at 12 Oct, 2012.
- $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) published at 12 Oct, 2012.
- Security Fix for RubyGems: SSL server verification failure for remote repository published at 20 Apr, 2012.
- Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack published at 16 Feb, 2012.
- Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815) published at 28 Dec, 2011.
- Exception methods can bypass $SAFE published at 18 Feb, 2011.
- FileUtils is vulnerable to symlink race attacks published at 18 Feb, 2011.
- XSS in WEBrick (CVE-2010-0541) published at 16 Aug, 2010.
- Buffer over-run in ARGF.inplace_mode= published at 2 Jul, 2010.
- WEBrick has an Escape Sequence Injection vulnerability published at 10 Jan, 2010
- Heap overflow in String (CVE-2009-4124) published at 7 Dec, 2009
- DoS vulnerability in BigDecimal published at 9 Jun, 2009
- DoS vulnerability in REXML published at 23 Aug, 2008
- Multiple vulnerabilities in Ruby published at 8 Aug, 2008
- Arbitrary code execution vulnerabilities published at 20 Jun, 2008
- File access vulnerability of WEBrick published at 3 Mar, 2008
- Net::HTTPS Vulnerability published at 4 Oct, 2007
- Another DoS Vulnerability in CGI Library published at 4 Dec, 2006
- DoS Vulnerability in CGI Library (CVE-2006-5467) published at 3 Nov, 2006
- Ruby vulnerability in the safe level settings published at 2 Oct, 2005