CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
Posted by hsbt on 23 Apr 2024
We have released the Ruby version 3.0.7, 3.1.5, 3.2.4 and 3.3.1 that have a security fix for an arbitrary memory address read vulnerability in Regex search. This vulnerability has been assigned the CVE identifier CVE-2024-27282.
Details
An issue was discovered in Ruby 3.x through 3.3.0.
If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.
Recommended action
We recommend to update the Ruby to version 3.3.1 or later. In order to ensure compatibility with older Ruby series, you may update as follows instead:
- For Ruby 3.0 users: Update to 3.0.7
- For Ruby 3.1 users: Update to 3.1.5
- For Ruby 3.2 users: Update to 3.2.4
- For Ruby 3.3 users: Update to 3.3.1
Affected versions
- Ruby 3.0.6 or lower
- Ruby 3.1.4 or lower
- Ruby 3.2.3 or lower
- Ruby 3.3.0
Credits
Thanks to sp2ip for discovering this issue.
History
- Originally published at 2024-04-23 10:00:00 (UTC)
Recent News
A New Look for Ruby's Documentation
Following the ruby-lang.org redesign, we have more news to celebrate Ruby’s 30th anniversary: docs.ruby-lang.org has a completely new look with Aliki—RDoc’s new default theme.
Posted by Stan Lo on 23 Dec 2025
Redesign our Site Identity
We are excited to announce a comprehensive redesign of our site. The design for this update was created by Taeko Akatsuka.
Posted by Hiroshi SHIBATA on 22 Dec 2025
Ruby 4.0.0 preview3 Released
We are pleased to announce the release of Ruby 4.0.0-preview3. Ruby 4.0 introduces Ruby::Box and “ZJIT”, and adds many improvements.
Posted by naruse on 18 Dec 2025
Ruby 3.4.8 Released
Ruby 3.4.8 has been released.
Posted by k0kubun on 17 Dec 2025