HIGH · CVSS 8.8
CVE-2024-27281 — Ruby RDoc command injection via documentation build
Ruby's built-in RDoc tool could be tricked into executing arbitrary shell commands when building documentation with crafted source filenames.
Affects
- Ruby 3.0 < 3.0.7 / 3.1 < 3.1.5 / 3.2 < 3.2.4 / 3.3 < 3.3.1
What an attacker does
A malicious Ruby gem with crafted filenames, when unpacked and documented via RDoc (as most install flows do), executed shell commands on the installer's machine.
How to detect
`ruby --version`.
How to fix
Upgrade Ruby. Additionally: run `gem install` with `--no-document` in CI.
How Securie catches it
Securie's Ruby scanner flags vulnerable Ruby + audits gem-install practices.