Ruby-lang Ruby
55 CVEs affecting Ruby-lang Ruby. Latest disclosed: 2026-05-22. Critical: 8, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-17790 | Critical | 9.8 | 2017-12-20 | The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv… |
CVE-2017-14064 | Critical | 9.8 | 2017-08-31 | Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ex… |
CVE-2017-11465 | Critical | 9.8 | 2017-07-19 | The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecifie… |
CVE-2017-9225 | Critical | 9.8 | 2017-05-24 | An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in on… |
CVE-2016-2339 | Critical | 9.8 | 2017-01-06 | An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize"… |
CVE-2016-2337 | Critical | 9.8 | 2017-01-06 | Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitra… |
CVE-2016-2336 | Critical | 9.8 | 2017-01-06 | Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed… |
CVE-2017-0898 | Critical | 9.1 | 2017-09-15 | Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation… |
CVE-2017-17405 | High | 8.8 | 2017-12-15 | Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a lo… |
CVE-2017-10784 | High | 8.8 | 2017-09-19 | The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal e… |
CVE-2015-7551 | High | 8.4 | 2016-03-24 | The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before… |
CVE-2026-46727 | High | 8.1 | 2026-05-22 | An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo i… |
CVE-2017-14033 | High | 7.5 | 2017-09-19 | The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (… |
CVE-2014-6438 | High | 7.5 | 2017-09-06 | The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtr… |
CVE-2017-9229 | High | 7.5 | 2017-05-24 | An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_c… |
CVE-2017-6181 | High | 7.5 | 2017-04-03 | The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cau… |
CVE-2009-5147 | High | 7.3 | 2017-03-29 | DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. |
CVE-2012-5380 | Medium | 6.7 | 2012-10-11 | Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local user… |
CVE-2015-9096 | Medium | 6.1 | 2017-06-12 | Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences… |
CVE-2015-3900 | | 2015-06-24 | RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows… |