Critical severity9.8NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-1000037

Description

RVM automatically loads environment variables from files in $PWD resulting in command execution RVM vulnerable to command injection when automatically loading environment variables from files in $PWD RVM automatically executes hooks located in $PWD resulting in code execution RVM automatically installs gems as specified by files in $PWD resulting in code execution RVM automatically does "bundle install" on a Gemfile specified by .versions.conf in $PWD resulting in code execution

Affected products

Rvm Project/Rvm
cpe:2.3:a:rvm_project:rvm:*:*:*:*:*:*:*:*
Range: <=1.28.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/justinsteven/advisories/blob/master/2017_rvm_cd_command_execution.mdnvdExploitThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.016
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000