Ruby Ruby

  1. Vendors
  2. Ruby

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Ruby product.

RSS Feeds for Ruby security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Ruby products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Ruby Sorted by Most Security Vulnerabilities since 2018

Ruby Rexml2 vulnerabilities

Ruby Rdoc1 vulnerability

By the Year

In 2026 there have been 2 vulnerabilities in Ruby. Last year, in 2025 Ruby had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Ruby in 2026 could surpass last years number.




Year Vulnerabilities Average Score
2026 2 0.00
2025 2 0.00
2024 2 4.50
2023 0 0.00
2022 0 0.00
2021 0 0.00
2020 0 0.00
2019 3 0.00

It may take a day or so for new Ruby vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ruby Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-27820 Apr 16, 2026
Ruby zlib Buffer Overflow in GzipReader (3.2.1) zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
CVE-2026-33210 Mar 20, 2026
Ruby JSON 2.14.0-2.15.2.1 Format String Injection (allow_duplicate_key: false) Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
CVE-2025-61594 Dec 30, 2025
URI is a module providing classes to handle Uniform Resource Identifiers URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
CVE-2025-58767 Sep 17, 2025
REXML DoS: Multiple XML Declarations 3.3.3–3.4.1 REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
Rexml
CVE-2024-49761 Oct 28, 2024
REXML 3.3.8 ReDoS via Hex Numeric Ref REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Rexml
CVE-2024-27281 May 14, 2024
RDoc YAML Object Injection (6.6.2) Remote Code Execution An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
Rdoc
CVE-2015-1855 Nov 29, 2019
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
CVE-2013-6460 Nov 05, 2019
Nokogiri gem 1.5.x has Denial of Service Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents
CVE-2013-6461 Nov 05, 2019
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.