Category

Ruby

Security vulnerabilities and automated fixes for ruby issues

5 posts found

high6 min

How path traversal happens in Ruby YARD server and how to fix it

A high-severity path traversal vulnerability (CVE-2026-41493) in YARD versions prior to 0.9.42 allowed attackers to read arbitrary files from servers running `yard server`. This fix upgrades the yard gem from 0.9.26 to 0.9.42 in the Gemfile and Gemfile.lock, closing a dangerous information disclosure vector that could expose configuration files, credentials, and source code.

#security#path-traversal#ruby+4 more
O
orbisai0security
Jul 9, 2026
high6 min

How Denial of Service via crafted URI templates happens in Ruby addressable and how to fix it

A high-severity Denial of Service vulnerability (CVE-2026-35611) was discovered in the Ruby `addressable` gem versions prior to 2.9.0, which could allow attackers to crash or hang applications by sending specially crafted URI templates. The fix upgrades the dependency from version 2.8.7 to 2.9.0 across the Gemfile, Gemfile.lock, and gemspec in a Fastlane project, eliminating the vulnerable code path entirely.

#security#ruby#denial-of-service+4 more
O
orbisai0security
Jun 12, 2026
medium7 min

Mass Assignment Vulnerability: Why Your Rails Models Need attr_accessible

A medium-severity mass assignment vulnerability was identified in a Ruby on Rails model that lacked proper attribute whitelisting via `attr_accessible` or strong parameters. Without this protection, attackers can manipulate any model attribute through crafted HTTP requests, potentially escalating privileges or corrupting data. The fix enforces explicit attribute allowlisting, closing the door on unauthorized mass assignment exploitation.

#ruby#rails#mass-assignment+4 more
O
orbisai0security
May 28, 2026
critical8 min

Critical Buffer Overflow in OJ's fast.c: How an Unsafe strcpy Nearly Opened the Door to RCE

A critical buffer overflow vulnerability was discovered and patched in the popular OJ Ruby JSON library's fast.c parser, where an unbounded strcpy call allowed attacker-controlled JSON input to overwrite adjacent memory. Left unpatched, this classic CWE-120 flaw could enable arbitrary code execution in any application parsing untrusted JSON with the affected library. The fix eliminates the unsafe copy operation, closing a potential remote code execution vector that affected countless Ruby applic

#buffer-overflow#c#ruby+4 more
O
orbisai0security
May 15, 2026
medium8 min

Silent Data Destruction: The Hidden Danger in Upload Price Tier Logic

A medium-severity vulnerability in Fastlane's `deliver` tool revealed how a subtle semantic distinction between `nil` and an empty array could silently remove an app from sale in every App Store territory worldwide — with no warning, no confirmation, and a misleading success message to cover its tracks. This post breaks down how the bug worked, why it matters, and what developers can learn about defensive coding with destructive operations.

#ruby#fastlane#app-store+4 more
O
orbisai0security
May 9, 2026