Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
Posted by hone and zzak on 29 Mar 2014
There is an overflow in URI escape parsing of YAML in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525.
Details
Any time a string in YAML with tags is parsed, a specially crafted string can cause a heap overflow which can lead to arbitrary code execution.
For example:
YAML.load <code_from_unknown_source>Affected Versions
Ruby 1.9.3-p0 and above include psych as the default YAML parser.
Any versions of psych linked against libyaml <= 0.1.5 are affected.
And, these versions of Ruby bundle an affected version of libyaml:
- Ruby 2.0.0-p451 and earlier,
- Ruby 2.1.0 and Ruby 2.1.1.
You can verify the version of libyaml used by running:
$ ruby -rpsych -e 'p Psych.libyaml_version'
[0, 1, 5]Solutions
Users who install libyaml to the system are recommended to update libyaml to 0.1.6.
When recompiling Ruby, point to the newly updated libyaml:
$ ./configure --with-yaml-dir=/path/to/libyamlUsers without a system libyaml rely on the embedded libyaml and are recommended
to update psych to 2.0.5 which vendors libyaml 0.1.6:
$ gem install psychor, update your Ruby to 2.0.0-p481, 2.1.2 or newer.
History
- Originally published at 2014-03-29 01:49:25 UTC
- Update published at 2014-03-29 09:37:00 UTC
- Update published at 2014-05-09 03:00:00 UTC
Recent News
Ruby 3.2.11 Released
Ruby 3.2.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820.
Posted by hsbt on 27 Mar 2026
Ruby 3.3.11 Released
Ruby 3.3.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820, along with some bug fixes.
Posted by hsbt on 26 Mar 2026
Ruby 4.0.2 Released
Ruby 4.0.2 has been released.
Posted by k0kubun on 16 Mar 2026
Ruby 3.4.9 Released
Ruby 3.4.9 has been released.
Posted by nagachika on 11 Mar 2026