Critical severity9.8NVD Advisory· Published Oct 11, 2017· Updated May 13, 2026

CVE-2017-0903

Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rubygems-updateRubyGems	>= 2.0.0, < 2.6.14	2.6.14

Affected products

Hackerone/Rubygemsv5
Range: Versions >= 2.0.0

Patches

510b1638ac9b

Whitelist classes and symbols that are in Gem spec YAML

https://github.com/rubygems/rubygemsAaron PattersonOct 6, 2017via ghsa

commit

7 files changed · +55 −5

lib/rubygems/config_file.rb+1 −1 modified

@@ -345,7 +345,7 @@ def load_file(filename)
     return {} unless filename and File.exist? filename
 
     begin
-      content = YAML.load(File.read(filename))
+      content = Gem::SafeYAML.load(File.read(filename))
       unless content.kind_of? Hash
         warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
         return {}

lib/rubygems/package/old.rb+1 −1 modified

@@ -101,7 +101,7 @@ def file_list io # :nodoc:
       header << line
     end
 
-    YAML.load header
+    Gem::SafeYAML.safe_load header
   end
 
   ##

lib/rubygems/package.rb+1 −1 modified

@@ -468,7 +468,7 @@ def read_checksums gem
 
     @checksums = gem.seek 'checksums.yaml.gz' do |entry|
       Zlib::GzipReader.wrap entry do |gz_io|
-        YAML.load gz_io.read
+        Gem::SafeYAML.safe_load gz_io.read
       end
     end
   end

lib/rubygems.rb+2 −1 modified

@@ -675,7 +675,7 @@ def self.load_yaml
 
     unless test_syck
       begin
-        gem 'psych', '>= 1.2.1'
+        gem 'psych', '>= 2.0.0'
       rescue Gem::LoadError
         # It's OK if the user does not have the psych gem installed.  We will
         # attempt to require the stdlib version
@@ -699,6 +699,7 @@ def self.load_yaml
     end
 
     require 'yaml'
+    require 'rubygems/safe_yaml'
 
     # If we're supposed to be using syck, then we may have to force
     # activate it via the YAML::ENGINE API.

lib/rubygems/safe_yaml.rb+48 −0 added

@@ -0,0 +1,48 @@
+module Gem
+
+  ###
+  # This module is used for safely loading YAML specs from a gem.  The
+  # `safe_load` method defined on this module is specifically designed for
+  # loading Gem specifications.  For loading other YAML safely, please see
+  # Psych.safe_load
+
+  module SafeYAML
+    WHITELISTED_CLASSES = %w(
+      Symbol
+      Time
+      Date
+      Gem::Dependency
+      Gem::Platform
+      Gem::Requirement
+      Gem::Specification
+      Gem::Version
+      Gem::Version::Requirement
+      YAML::Syck::DefaultKey
+      Syck::DefaultKey
+    )
+
+    WHITELISTED_SYMBOLS = %w(
+      development
+      runtime
+    )
+
+    if ::YAML.respond_to? :safe_load
+      def self.safe_load input
+        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
+      end
+
+      def self.load input
+        ::YAML.safe_load(input, [::Symbol])
+      end
+    else
+      warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+      def self.safe_load input, *args
+        ::YAML.load input
+      end
+
+      def self.load input
+        ::YAML.load input
+      end
+    end
+  end
+end

lib/rubygems/specification.rb+1 −1 modified

@@ -1101,7 +1101,7 @@ def self.from_yaml(input)
     Gem.load_yaml
 
     input = normalize_yaml_input input
-    spec = YAML.load input
+    spec = Gem::SafeYAML.safe_load input
 
     if spec && spec.class == FalseClass then
       raise Gem::EndOfYAMLException

Manifest.txt+1 −0 modified

@@ -387,6 +387,7 @@ lib/rubygems/resolver/specification.rb
 lib/rubygems/resolver/stats.rb
 lib/rubygems/resolver/vendor_set.rb
 lib/rubygems/resolver/vendor_specification.rb
+lib/rubygems/safe_yaml.rb
 lib/rubygems/security.rb
 lib/rubygems/security/policies.rb
 lib/rubygems/security/policy.rb

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49nvdPatchThird Party AdvisoryWEB
blog.rubygems.org/2017/10/09/2.6.14-released.htmlnvdVendor AdvisoryWEB
blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.htmlnvdVendor AdvisoryWEB
www.securityfocus.com/bid/101275nvdThird Party AdvisoryVDB Entry
access.redhat.com/errata/RHSA-2017:3485nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0378nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0583nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0585nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-mqwr-4qf2-2hcvghsaADVISORY
hackerone.com/reports/274990nvdThird Party AdvisoryWEB
lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdMailing ListThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-0903ghsaADVISORY
usn.ubuntu.com/3553-1/nvdThird Party Advisory
usn.ubuntu.com/3685-1/nvdThird Party Advisory
www.debian.org/security/2017/dsa-4031nvdThird Party AdvisoryWEB
usn.ubuntu.com/3553-1ghsaWEB
usn.ubuntu.com/3685-1ghsaWEB
web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/101275ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000