Skip to main content

Ruby ERB CVE-2026-41316

| EUVDEUVD-2026-25385 HIGH
Protection Mechanism Failure (CWE-693)
2026-04-24 GitHub_M GHSA-q339-8rmv-2mhv
8.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 29, 2026 - 20:56 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 03:32 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 03:00 euvd
EUVD-2026-25385
Analysis Generated
Apr 24, 2026 - 03:00 vuln.today
CVE Published
Apr 24, 2026 - 02:35 nvd
HIGH 8.1

DescriptionCVE.org

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard: ERB#def_method, ERB#def_module, and ERB#def_class. An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

AnalysisAI

Remote code execution in Ruby ERB library via unsafe deserialization allows unauthenticated attackers to execute arbitrary code by exploiting incomplete protection in Marshal.load workflows. While ERB 2.2.0+ added guards to prevent code execution during deserialization in result() and run() methods, the def_module(), def_method(), and def_class() methods remained unprotected, enabling attackers to bypass the @_init safeguard. Exploitation requires high complexity (AV:N/AC:H) as applications must deserialize untrusted Marshal data with ERB loaded. No EPSS or KEV data available; exploitation likelihood depends on prevalence of unsafe Marshal.load patterns in Ruby codebases.

Technical ContextAI

ERB (Embedded RuBy) is the standard templating engine for Ruby, bundled with Ruby core and available as a standalone gem. The vulnerability stems from incomplete deserialization protection (CWE-693: Protection Mechanism Failure). Ruby's Marshal.load reconstructs objects from serialized data, but when an ERB object is deserialized, it can trigger code evaluation through the @src instance variable. Ruby 2.7.0 introduced an @_init guard in ERB#result and ERB#run to prevent this, but three additional public methods (def_method, def_module, def_class) that also call eval(@src) were left unguarded. An attacker crafting a malicious ERB object can trigger def_module() with zero arguments and default parameters, executing arbitrary Ruby code server-side. This represents a classic protection bypass where security controls were applied inconsistently across similar attack surfaces within the same component.

RemediationAI

Upgrade ERB to patched versions: 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 as detailed in GitHub advisory GHSA-q339-8rmv-2mhv (https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv). For Ruby core distributions, ensure your Ruby version includes the patched ERB library or explicitly update the erb gem via bundler. If immediate patching is not feasible, implement compensating controls: 1) Eliminate all use of Marshal.load on untrusted data - replace with safe serialization formats like JSON or MessagePack with strict schema validation; 2) If Marshal.load is unavoidable, implement strict allowlist-based deserialization using safe_load alternatives or custom wrapper classes that validate object types before reconstruction; 3) Apply network segmentation to isolate services performing deserialization from untrusted sources. Note that these workarounds add development complexity and may break legacy functionality relying on Marshal serialization. Audit codebases for Marshal.load patterns in background job handlers, session stores, and caching layers as priority remediation targets.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-41316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy