ReDoS in CGI Gem v<0.4.2 (Ruby) — Util#escapeElement
CVE-2025-27220 Published on March 4, 2025
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
Weakness Type
What is a ReDoS Vulnerability?
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:
CVE-2025-27220 has been classified to as a ReDoS vulnerability or weakness.
Products Associated with CVE-2025-27220
stack.watch emails you whenever new vulnerabilities are published in Ruby Programming Language Cgi or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
ruby-lang CGI:- Before 0.3.5.1 is affected.
- Version 0.3.6 and below 0.3.7 is affected.
- Version 0.4.0 and below 0.4.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.