Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42.
AnalysisAI
Path traversal vulnerability in YARD prior to version 0.9.42 allows remote attackers to access arbitrary files on a server running yard server with unsanitized HTTP requests when using the --docroot flag. The vulnerability affects the documentation serving functionality and has been patched in version 0.9.42. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
YARD is a Ruby documentation generation and serving tool. The vulnerability exists in the yard server component, which uses HTTP request handling to serve pre-generated documentation files. The root cause is improper input validation of the document_root (--docroot) parameter, classified as CWE-22 (Path Traversal). When yard server processes HTTP requests without proper sanitization, an attacker can craft requests containing path traversal sequences (such as ../ or absolute paths) to bypass intended directory restrictions and access files outside the intended documentation directory. The vulnerability is specific to non-WEBrick server configurations, as WEBrick performs path sanitization by default.
RemediationAI
Upgrade YARD to version 0.9.42 or later immediately. The patched version fixes the path traversal vulnerability in the document_root handling. For users unable to upgrade immediately, two workarounds are available: First, use WEBrick as the server backend by running 'yard server -s webrick', which performs automatic path sanitization on HTTP requests. Second, implement path sanitization at the web server level (e.g., nginx, Apache) by adding rules that reject or neutralize path traversal sequences in HTTP requests. These workarounds mitigate the risk but do not address the underlying code defect; upgrading to 0.9.42 is the definitive fix. The upgrade has minimal side effects, as it is primarily a security fix with only minor UI/UX improvements included in the release.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28554