Here you will find information about security issues of Ruby.
Reporting Security Vulnerabilities
Security vulnerabilities in the Ruby programming language should be reported through our bounty program page at HackerOne. Please ensure you read the specific details around the scope of our program before reporting an issue. Any valid reported problems will be published after fixes.
If you have found an issue affecting one of our websites, please report it via GitHub or you can check our Google Groups for security announcements.
If you have found an issue that affects a specific Ruby community’s gem, follow the instructions on RubyGems.org.
To get in touch with the security team directly outside of HackerOne, you can send email to security@ruby-lang.org (the PGP public key), which is a private mailing list.
The members of the mailing list are people who provide Ruby (Ruby committers and authors of other Ruby implementations, distributors, PaaS platformers). The members must be individual people, mailing lists are not permitted.
Known issues
Here are recent issues:
- Security advisories: CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221
 2025-02-26
- CVE-2025-25186: DoS vulnerability in net-imap
 2025-02-10
- CVE-2024-49761: ReDoS vulnerability in REXML
 2024-10-28
- CVE-2024-43398: DoS vulnerability in REXML
 2024-08-22
- CVE-2024-41946: DoS vulnerability in REXML
 2024-08-01
- CVE-2024-41123: DoS vulnerabilities in REXML
 2024-08-01
- CVE-2024-39908: DoS vulnerability in REXML
 2024-07-16
- CVE-2024-35176: DoS vulnerability in REXML
 2024-05-16
- CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
 2024-04-23
- CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
 2024-03-21
- CVE-2024-27280: Buffer overread vulnerability in StringIO
 2024-03-21
- CVE-2023-36617: ReDoS vulnerability in URI
 2023-06-29
- CVE-2023-28756: ReDoS vulnerability in Time
 2023-03-30
- CVE-2023-28755: ReDoS vulnerability in URI
 2023-03-28
- CVE-2021-33621: HTTP response splitting in CGI
 2022-11-22
- CVE-2022-28738: Double free in Regexp compilation
 2022-04-12
- CVE-2022-28739: Buffer overrun in String-to-Float conversion
 2022-04-12
- CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
 2021-11-24
- CVE-2021-41816: Buffer Overrun in CGI.escape_html
 2021-11-24
- CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
 2021-11-15
- CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
 2021-07-07
- CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
 2021-07-07
- CVE-2021-31799: A command injection vulnerability in RDoc
 2021-05-02
- CVE-2021-28965: XML round-trip vulnerability in REXML
 2021-04-05
- CVE-2021-28966: Path traversal in Tempfile on Windows
 2021-04-05
- CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
 2020-09-29
- CVE-2020-10933: Heap exposure vulnerability in the socket library
 2020-03-31
- CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)
 2020-03-19
- CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
 2019-10-01
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
 2019-10-01
- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
 2019-10-01
- CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
 2019-10-01
- Multiple jQuery vulnerabilities in RDoc
 2019-08-28
- Multiple vulnerabilities in RubyGems
 2019-03-05
- CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
 2018-10-17
- CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives
 2018-10-17
- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
 2018-03-28
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
 2018-03-28
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
 2018-03-28
- CVE-2018-8777: DoS by large request in WEBrick
 2018-03-28
- CVE-2017-17742: HTTP response splitting in WEBrick
 2018-03-28
- CVE-2018-8778: Buffer under-read in String#unpack
 2018-03-28
- Multiple vulnerabilities in RubyGems
 2018-02-17
- CVE-2017-17405: Command injection vulnerability in Net::FTP
 2017-12-14
- CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
 2017-09-14
- CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
 2017-09-14
- CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
 2017-09-14
- CVE-2017-14064: Heap exposure vulnerability in generating JSON
 2017-09-14
- Multiple vulnerabilities in RubyGems
 2017-08-29
- CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
 2015-12-16
- CVE-2015-1855: Ruby OpenSSL Hostname Verification
 2015-04-13
- CVE-2014-8090: Another Denial of Service XML Expansion
 2014-11-13
- CVE-2014-8080: Denial of Service XML Expansion
 2014-10-27
- Changed default settings of ext/openssl
 2014-10-27
- Dispute of Vulnerability CVE-2014-2734
 2014-05-09
- OpenSSL Severe Vulnerability in TLS Heartbeat Extension (CVE-2014-0160)
 2014-04-10
- Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
 2014-03-29
- Heap Overflow in Floating Point Parsing (CVE-2013-4164)
 2013-11-22
- Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)
 2013-06-27
- Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)
 2013-05-14
More known issues:
- Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821) published at 22 Feb, 2013.
- Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) published at 22 Feb, 2013.
- XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) published at 6 Feb, 2013.
- Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) published at 10 Nov, 2012.
- Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) published at 12 Oct, 2012.
- $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) published at 12 Oct, 2012.
- Security Fix for RubyGems: SSL server verification failure for remote repository published at 20 Apr, 2012.
- Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack published at 16 Feb, 2012.
- Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815) published at 28 Dec, 2011.
- Exception methods can bypass $SAFE published at 18 Feb, 2011.
- FileUtils is vulnerable to symlink race attacks published at 18 Feb, 2011.
- XSS in WEBrick (CVE-2010-0541) published at 16 Aug, 2010.
- Buffer over-run in ARGF.inplace_mode= published at 2 Jul, 2010.
- WEBrick has an Escape Sequence Injection vulnerability published at 10 Jan, 2010.
- Heap overflow in String (CVE-2009-4124) published at 7 Dec, 2009.
- DoS vulnerability in BigDecimal published at 9 Jun, 2009.
- DoS vulnerability in REXML published at 23 Aug, 2008.
- Multiple vulnerabilities in Ruby published at 8 Aug, 2008.
- Arbitrary code execution vulnerabilities published at 20 Jun, 2008.
- File access vulnerability of WEBrick published at 3 Mar, 2008.
- Net::HTTPS Vulnerability published at 4 Oct, 2007.
- Another DoS Vulnerability in CGI Library published at 4 Dec, 2006.
- DoS Vulnerability in CGI Library (CVE-2006-5467) published at 3 Nov, 2006.
- Ruby vulnerability in the safe level settings published at 2 Oct, 2005.