Ruby
Monthly
A cross-site scripting (XSS) vulnerability exists in Ruby on Rails Action View tag helpers when blank strings are used as HTML attribute names, allowing attribute escaping to be bypassed and producing malformed HTML. Applications that permit users to specify custom HTML attributes are vulnerable, potentially enabling attackers to inject arbitrary JavaScript that executes in users' browsers. Patches are available from the Rails vendor across multiple affected versions (7.2.3.1, 8.0.4.1, and 8.1.2.1), and remediation should be prioritized for user-facing Rails applications accepting custom attribute inputs.
Remote code execution in Manyfold prior to version 0.133.0 allows authenticated users to execute arbitrary commands by uploading a ZIP archive with specially crafted filenames containing shell metacharacters that are passed unsanitized to Ruby backtick execution. The vulnerability affects the model render generation feature and requires an attacker to be logged in, with public exploit code currently available. A patch is available in version 0.133.0 and later.
Stored XSS in Bugsink error tracking tool before 2.0.13 allows unauthenticated attackers to inject persistent scripts through error event submissions. PoC and patch available.
Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft files with javascript: scheme names that execute arbitrary code when clicked. Authenticated users or those with access to directories containing maliciously named files can trigger stored XSS attacks affecting other users viewing the directory index. Public exploit code exists for versions prior to 2.2.22, 3.1.20, and 3.2.5.
Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list directories outside the configured root by exploiting a string prefix matching flaw in path validation. An attacker can craft requests with path traversal sequences to enumerate sensitive directories if the target path shares a common prefix with the configured root directory. Public exploit code exists for this vulnerability.
Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. [CVSS 7.0 HIGH]
Mongoid's Criteria.from_hash method in Ruby can execute arbitrary code when processing specially crafted Hash objects, allowing authenticated attackers to achieve remote code execution on systems using vulnerable versions. The vulnerability requires valid credentials and network access but no user interaction, making it exploitable in environments where untrusted users have application access. No patch is currently available.
Faraday HTTP client library versions before 2.14.1 fail to properly validate protocol-relative URLs when merging user-supplied paths with base URLs, allowing attackers to redirect requests to arbitrary hosts via SSRF attacks. Applications that pass untrusted input to Faraday request methods like get() or post() are vulnerable to request hijacking. A patch is available in version 2.14.1 and later.
Spree versions up to 5.0.8 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthenticated attackers to access other customers' personally identifiable information by manipulating address parameters during transaction processing. Public exploit code exists for this vulnerability, which affects all guest checkout flows across multiple Spree versions. Patches are available for versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Use-after-free memory corruption in mruby up to version 3.4.0 within the JMPNOT-to-JMPIF optimization logic allows local attackers with user-level privileges to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, and a patch is available. Affected systems should apply the available security update promptly.
OpenC3 COSMOS (space mission control software, 5.0.0-6.10.1) has unauthenticated RCE through the JSON-RPC API. String parameters are evaluated as Ruby code via convert_to_value. Maximum CVSS 10.0 with scope change.
Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct object reference vulnerability allowing logged-in users to access and retrieve address information belonging to other customers by manipulating address identifiers during order modification. Public exploit code exists for this vulnerability, which has been patched in the aforementioned versions.
CVE-2025-53623 is an arbitrary code execution vulnerability in the Job Iteration API's CsvEnumerator class affecting versions prior to 1.11.0. An unauthenticated remote attacker can execute arbitrary system commands by supplying malicious input to CSV file processing methods, particularly the count_of_rows_in_file method, potentially leading to complete system compromise. The vulnerability has a CVSS score of 8.1 indicating high severity with network-accessible attack vector and no privilege requirements.
A cross-site scripting (XSS) vulnerability exists in Ruby on Rails Action View tag helpers when blank strings are used as HTML attribute names, allowing attribute escaping to be bypassed and producing malformed HTML. Applications that permit users to specify custom HTML attributes are vulnerable, potentially enabling attackers to inject arbitrary JavaScript that executes in users' browsers. Patches are available from the Rails vendor across multiple affected versions (7.2.3.1, 8.0.4.1, and 8.1.2.1), and remediation should be prioritized for user-facing Rails applications accepting custom attribute inputs.
Remote code execution in Manyfold prior to version 0.133.0 allows authenticated users to execute arbitrary commands by uploading a ZIP archive with specially crafted filenames containing shell metacharacters that are passed unsanitized to Ruby backtick execution. The vulnerability affects the model render generation feature and requires an attacker to be logged in, with public exploit code currently available. A patch is available in version 0.133.0 and later.
Stored XSS in Bugsink error tracking tool before 2.0.13 allows unauthenticated attackers to inject persistent scripts through error event submissions. PoC and patch available.
Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft files with javascript: scheme names that execute arbitrary code when clicked. Authenticated users or those with access to directories containing maliciously named files can trigger stored XSS attacks affecting other users viewing the directory index. Public exploit code exists for versions prior to 2.2.22, 3.1.20, and 3.2.5.
Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list directories outside the configured root by exploiting a string prefix matching flaw in path validation. An attacker can craft requests with path traversal sequences to enumerate sensitive directories if the target path shares a common prefix with the configured root directory. Public exploit code exists for this vulnerability.
Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. [CVSS 7.0 HIGH]
Mongoid's Criteria.from_hash method in Ruby can execute arbitrary code when processing specially crafted Hash objects, allowing authenticated attackers to achieve remote code execution on systems using vulnerable versions. The vulnerability requires valid credentials and network access but no user interaction, making it exploitable in environments where untrusted users have application access. No patch is currently available.
Faraday HTTP client library versions before 2.14.1 fail to properly validate protocol-relative URLs when merging user-supplied paths with base URLs, allowing attackers to redirect requests to arbitrary hosts via SSRF attacks. Applications that pass untrusted input to Faraday request methods like get() or post() are vulnerable to request hijacking. A patch is available in version 2.14.1 and later.
Spree versions up to 5.0.8 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthenticated attackers to access other customers' personally identifiable information by manipulating address parameters during transaction processing. Public exploit code exists for this vulnerability, which affects all guest checkout flows across multiple Spree versions. Patches are available for versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Use-after-free memory corruption in mruby up to version 3.4.0 within the JMPNOT-to-JMPIF optimization logic allows local attackers with user-level privileges to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, and a patch is available. Affected systems should apply the available security update promptly.
OpenC3 COSMOS (space mission control software, 5.0.0-6.10.1) has unauthenticated RCE through the JSON-RPC API. String parameters are evaluated as Ruby code via convert_to_value. Maximum CVSS 10.0 with scope change.
Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct object reference vulnerability allowing logged-in users to access and retrieve address information belonging to other customers by manipulating address identifiers during order modification. Public exploit code exists for this vulnerability, which has been patched in the aforementioned versions.
CVE-2025-53623 is an arbitrary code execution vulnerability in the Job Iteration API's CsvEnumerator class affecting versions prior to 1.11.0. An unauthenticated remote attacker can execute arbitrary system commands by supplying malicious input to CSV file processing methods, particularly the count_of_rows_in_file method, potentially leading to complete system compromise. The vulnerability has a CVSS score of 8.1 indicating high severity with network-accessible attack vector and no privilege requirements.