Security

Here you will find information about security issues of Ruby.

Reporting Security Vulnerabilities

Security vulnerabilities in the Ruby programming language should be reported through our HackerOne program page or via email to security@ruby-lang.org (the PGP public key), which is a private mailing list. Please ensure you read the specific details around the scope of our program before reporting an issue. Any valid reported problems will be published after fixes.

If you have found an issue affecting one of our websites, please report it via GitHub.

If you have found an issue that affects a specific Ruby community’s gem, follow the instructions on RubyGems.org.

Security Mailing List

The members of the security@ruby-lang.org mailing list are people who provide Ruby (Ruby committers and authors of other Ruby implementations, distributors, PaaS platformers).

The members must be individual people, mailing lists are not permitted. If you represent one of these organizations, please contact us to join the list.

Known issues

Here are recent issues:

• CVE-2026-27820: Buffer overflow vulnerability in Zlib::GzipReader
  2026-03-05
• CVE-2025-61594: URI Credential Leakage Bypass previous fixes
  2025-10-07
• CVE-2025-58767: DoS vulnerability in REXML
  2025-09-18
• CVE-2025-24294: Possible Denial of Service in resolv gem
  2025-07-08
• CVE-2025-43857: DoS vulnerability in net-imap
  2025-04-28
• Security advisories: CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221
  2025-02-26
• CVE-2025-25186: DoS vulnerability in net-imap
  2025-02-10
• CVE-2024-49761: ReDoS vulnerability in REXML
  2024-10-28
• CVE-2024-43398: DoS vulnerability in REXML
  2024-08-22
• CVE-2024-41946: DoS vulnerability in REXML
  2024-08-01
• CVE-2024-41123: DoS vulnerabilities in REXML
  2024-08-01
• CVE-2024-39908: DoS vulnerability in REXML
  2024-07-16
• CVE-2024-35176: DoS vulnerability in REXML
  2024-05-16
• CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
  2024-04-23
• CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
  2024-03-21
• CVE-2024-27280: Buffer overread vulnerability in StringIO
  2024-03-21
• CVE-2023-36617: ReDoS vulnerability in URI
  2023-06-29
• CVE-2023-28756: ReDoS vulnerability in Time
  2023-03-30
• CVE-2023-28755: ReDoS vulnerability in URI
  2023-03-28
• CVE-2021-33621: HTTP response splitting in CGI
  2022-11-22
• CVE-2022-28738: Double free in Regexp compilation
  2022-04-12
• CVE-2022-28739: Buffer overrun in String-to-Float conversion
  2022-04-12
• CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
  2021-11-24
• CVE-2021-41816: Buffer Overrun in CGI.escape_html
  2021-11-24
• CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
  2021-11-15
• CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
  2021-07-07
• CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
  2021-07-07
• CVE-2021-31799: A command injection vulnerability in RDoc
  2021-05-02
• CVE-2021-28965: XML round-trip vulnerability in REXML
  2021-04-05
• CVE-2021-28966: Path traversal in Tempfile on Windows
  2021-04-05
• CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
  2020-09-29
• CVE-2020-10933: Heap exposure vulnerability in the socket library
  2020-03-31
• CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)
  2020-03-19
• CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
  2019-10-01
• CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
  2019-10-01
• CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
  2019-10-01
• CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
  2019-10-01
• Multiple jQuery vulnerabilities in RDoc
  2019-08-28
• Multiple vulnerabilities in RubyGems
  2019-03-05
• CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
  2018-10-17
• CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives
  2018-10-17
• CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
  2018-03-28
• CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
  2018-03-28
• CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
  2018-03-28
• CVE-2018-8777: DoS by large request in WEBrick
  2018-03-28
• CVE-2017-17742: HTTP response splitting in WEBrick
  2018-03-28
• CVE-2018-8778: Buffer under-read in String#unpack
  2018-03-28
• Multiple vulnerabilities in RubyGems
  2018-02-17
• CVE-2017-17405: Command injection vulnerability in Net::FTP
  2017-12-14
• CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
  2017-09-14
• CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
  2017-09-14
• CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
  2017-09-14
• CVE-2017-14064: Heap exposure vulnerability in generating JSON
  2017-09-14
• Multiple vulnerabilities in RubyGems
  2017-08-29
• CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
  2015-12-16
• CVE-2015-1855: Ruby OpenSSL Hostname Verification
  2015-04-13
• CVE-2014-8090: Another Denial of Service XML Expansion
  2014-11-13
• CVE-2014-8080: Denial of Service XML Expansion
  2014-10-27
• Changed default settings of ext/openssl
  2014-10-27
• Dispute of Vulnerability CVE-2014-2734
  2014-05-09
• OpenSSL Severe Vulnerability in TLS Heartbeat Extension (CVE-2014-0160)
  2014-04-10
• Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
  2014-03-29
• Heap Overflow in Floating Point Parsing (CVE-2013-4164)
  2013-11-22
• Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)
  2013-06-27
• Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)
  2013-05-14

More known issues:

• Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821) published at 22 Feb, 2013.
• Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) published at 22 Feb, 2013.
• XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) published at 6 Feb, 2013.
• Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) published at 10 Nov, 2012.
• Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) published at 12 Oct, 2012.
• $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) published at 12 Oct, 2012.
• Security Fix for RubyGems: SSL server verification failure for remote repository published at 20 Apr, 2012.
• Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack published at 16 Feb, 2012.
• Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815) published at 28 Dec, 2011.
• Exception methods can bypass $SAFE published at 18 Feb, 2011.
• FileUtils is vulnerable to symlink race attacks published at 18 Feb, 2011.
• XSS in WEBrick (CVE-2010-0541) published at 16 Aug, 2010.
• Buffer over-run in ARGF.inplace_mode= published at 2 Jul, 2010.
• WEBrick has an Escape Sequence Injection vulnerability (CVE-2009-4492) published at 10 Jan, 2010.
• Heap overflow in String (CVE-2009-4124) published at 7 Dec, 2009.
• DoS vulnerability in BigDecimal published at 9 Jun, 2009.
• DoS vulnerability (CVE-2008-3790) in REXML published at 23 Aug, 2008.
• Multiple vulnerabilities in Ruby published at 8 Aug, 2008.
• Arbitrary code execution vulnerabilities published at 20 Jun, 2008.
• File access vulnerability of WEBrick published at 3 Mar, 2008.
• Net::HTTPS Vulnerability published at 4 Oct, 2007.
• Another DoS Vulnerability in CGI Library published at 4 Dec, 2006.
• DoS Vulnerability in CGI Library (CVE-2006-5467) published at 3 Nov, 2006.
• Ruby vulnerability in the safe level settings published at 2 Oct, 2005.