Ruby

This hub aggregates every CVE we track for Ruby, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Ruby.

• CVE-2026-46727An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a rem...8.1May 22, 2026
• CVE-2025-24294The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can cr...7.5Jul 12, 2025
• CVE-2025-43857net-imap rubygem vulnerable to possible DoS by memory exhaustion6.5Apr 28, 2025
• CVE-2025-0306Ruby: openssl: ruby marvin attack7.4Jan 9, 2025
• CVE-2024-39908Denial of service in REXML4.3Jul 16, 2024
• CVE-2024-35176REXML contains a denial of service vulnerability5.3May 16, 2024
• CVE-2024-27281An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resul...4.5May 8, 2024
• CVE-2024-27280A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of...9.8May 8, 2024
• CVE-2024-27282An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text,...6.6May 8, 2024
• CVE-2023-36617A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing st...5.3Jun 29, 2023
• CVE-2023-28756A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution tim...5.3Mar 31, 2023
• CVE-2023-28755A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time...5.3Mar 31, 2023
• CVE-2023-22796A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a s...7.5Feb 9, 2023
• CVE-2022-44566A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connect...7.5Feb 9, 2023
• CVE-2021-33621The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an ...8.8Nov 18, 2022