CVE-2026-34060
HIGHSeverity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json.
Other editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.
Details
The branch CLI argument passed to the ruby-lsp server was interpolated in the generated .ruby-lsp/Gemfile without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: .vscode/settings.json) that gets automatically applied open the possibility to craft a malicious repository that once opened and trusted in the editor would run arbitrary code.
Impact
Code execution with the privileges of the user who opens the malicious project. Ruby LSP assumes workspace code is trusted and so opening the editor on an untrusted workspace can lead to executing potentially dangerous code.
Remediation
The rubyLsp.branch setting has been removed entirely. VS Code extensions auto-update by default, so most users will receive the fix without action. Users who have disabled auto-updates should update to extension version >= 0.10.2.
The branch CLI flag was also entirely removed from the ruby-lsp gem. For users that don't add ruby-lsp to their Gemfiles, the server should auto-update. Users with the ruby-lsp in the Gemfile and locked to a specific version should update to >= 0.26.9.
AnalysisAI
Ruby Language Server (ruby-lsp) allows arbitrary code execution when opening malicious projects. The vulnerability exploits unsanitized interpolation of the rubyLsp.branch workspace setting into a generated Gemfile, enabling attackers to embed malicious Ruby code in .vscode/settings.json that executes when users open and trust the workspace. Affects ruby-lsp gem < 0.26.9 and VS Code extension < 0.10.2. No active exploitation or public POC currently identified at time of analysis, but the attack requires only social engineering to trick developers into opening a crafted repository.
Technical ContextAI
This vulnerability stems from improper neutralization of special elements (CWE-94: Code Injection) in the ruby-lsp language server's Gemfile generation logic. The server accepts a branch parameter via the rubyLsp.branch setting and directly interpolates it into a dynamically generated .ruby-lsp/Gemfile without input validation or sanitization. In VS Code and compatible editors, workspace settings from .vscode/settings.json are automatically applied when users trust a workspace. An attacker can craft a malicious repository containing a .vscode/settings.json with embedded Ruby code in the branch setting value, such as backtick commands or system calls. When the victim opens and trusts the project, the language server generates the Gemfile with the unsanitized input, causing the Ruby interpreter to execute the injected code during Gemfile evaluation. The affected package pkg:rubygems/ruby-lsp is a Language Server Protocol implementation for Ruby that integrates with editors like VS Code to provide IDE features such as autocomplete and diagnostics.
RemediationAI
Update the ruby-lsp gem to version 0.26.9 or later and the Ruby LSP VS Code extension to version 0.10.2 or later. For most users, the VS Code extension will auto-update automatically as auto-updates are enabled by default; verify the installed version in the Extensions panel and manually update if necessary by searching for Ruby LSP and clicking Update. For users who include ruby-lsp in their project Gemfile with a locked version, update the Gemfile to specify gem 'ruby-lsp', '>= 0.26.9' and run bundle update ruby-lsp. For users who do not add ruby-lsp to their Gemfiles, the server component should auto-update when the VS Code extension updates. The vendor has removed the vulnerable rubyLsp.branch setting entirely from the extension and the branch CLI flag from the gem, eliminating the attack vector. As an additional security practice, developers should exercise caution when opening and trusting workspaces from unfamiliar or untrusted sources, as workspace settings can modify development environment behavior. Review .vscode/settings.json files in external repositories before trusting workspaces. Full remediation guidance and security advisory available at https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c4r5-fxqw-vh93