CVE-2014-4994
Description
The gyazo gem 1.0.0 for Ruby allows local users to write arbitrary files via a symlink attack on a predictable temporary file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The gyazo gem 1.0.0 for Ruby allows local users to write arbitrary files via a symlink attack on a predictable temporary file.
Vulnerability
The gyazo gem version 1.0.0 for Ruby contains a vulnerability in lib/gyazo/client.rb where it creates a temporary file with a predictable name based on Time.now.to_i and Time.now.usec in the /tmp directory [1][3]. This allows a local attacker to perform a symlink attack, writing to an arbitrary file when the gem writes to the temporary file.
Exploitation
A local attacker can predict the temporary filename by observing the system time or brute-forcing the microsecond component. The attacker creates a symbolic link from the predicted path (e.g., /tmp/gyazo_upload__.png) to a target file writable by the user running the gem. When the gem executes and writes to the temporary file, it follows the symlink and overwrites the target file. No special privileges are required beyond local access to the system [3].
Impact
Successful exploitation allows a local attacker to overwrite arbitrary files with the privileges of the user running the gyazo gem. This can lead to data corruption, denial of service, or potential privilege escalation if critical system or user files are overwritten [1][3].
Mitigation
No patched version of the gyazo gem has been released. The gem appears to be unmaintained. Users should avoid using this gem in multi-user environments or ensure that the /tmp directory is configured with the sticky bit and that untrusted users cannot create symlinks. Alternatively, migrate to a different gem that handles temporary files securely [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gyazoRubyGems | >= 1.0.0, < 2.0.0 | 2.0.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application creates temporary files with predictable, time-based filenames, allowing for symlink attacks."
Attack vector
A local user can exploit this vulnerability by creating a symbolic link to a sensitive file. When the application generates a temporary file with a predictable name, the symbolic link will cause the operation to target the sensitive file instead. This allows the attacker to overwrite arbitrary files on the system. The vulnerability is related to time-based filenames used for temporary files [ref_id=1].
Affected code
The vulnerability resides in the `lib/gyazo/client.rb` file within the gyazo gem version 1.0.0. Specifically, the code snippet responsible for creating temporary filenames is located around lines 57-62, where `tmpfile` is constructed using `Time.now.to_i` and `Time.now.usec` [ref_id=3, ref_id=4].
What the fix does
The patch is not available in the provided information. The advisory suggests that the vulnerability is due to predictable, time-based filenames for temporary files, which can be exploited via a symlink attack [ref_id=1]. Remediation would likely involve generating more secure, non-predictable temporary filenames or properly validating file paths.
Preconditions
- inputThe application must be running version 1.0.0 of the gyazo gem.
- inputThe attacker must have local access to the system.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6x45-86q6-rcmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-4994ghsaADVISORY
- www.openwall.com/lists/oss-security/2014/07/07/13ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2014/07/17/5ghsamailing-listx_refsource_MLISTWEB
- www.vapid.dhs.org/advisories/gyazo-1.0.0.htmlmitrex_refsource_MISC
- github.com/rubysec/ruby-advisory-db/blob/master/gems/gyazo/CVE-2014-4994.ymlghsaWEB
- web.archive.org/web/20200229061943/http://www.vapid.dhs.org/advisories/gyazo-1.0.0.htmlghsaWEB
News mentions
0No linked articles in our index yet.