CVE-2019-10780
Description
BibTeX-ruby before 5.1.0 allows OS command injection via unsanitized input to Kernel.open.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BibTeX-ruby before 5.1.0 allows OS command injection via unsanitized input to Kernel.open.
Root
Cause BibTeX-ruby before version 5.1.0 is vulnerable to OS command injection because unsanitized user input is passed directly to Ruby's Kernel.open method through the BibTeX.open function [1][2]. The library fails to validate or sanitize file paths or URLs provided by the user, allowing an attacker to inject arbitrary shell commands.
Exploitation
An attacker can exploit this by providing a maliciously crafted input to BibTeX.open, such as a specially crafted filename or URL that includes command separators (e.g., |, ;, or backticks) [3]. No authentication is required if the attacker can supply input to the application using the vulnerable method. The attack vector is network-based if the application processes remote user input.
Impact
Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the Ruby process [4]. This can lead to full system compromise, data exfiltration, or further lateral movement within the network. The severity is critical, with a CVSS score of 9.8 (if assigned).
Mitigation
The vulnerability is fixed in BibTeX-ruby version 5.1.0 [1][4]. Users should upgrade immediately. No workarounds are available; applications must update the gem to the patched version.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bibtex-rubyRubyGems | < 5.1.0 | 5.1.0 |
Affected products
2- BibTeX-ruby/BibTeX-rubydescription
Patches
114406f4460f4Use File.read instead of Kernel.open
1 file changed · +1 −1
lib/bibtex/bibliography.rb+1 −1 modified@@ -47,7 +47,7 @@ class << self # -:filter: convert all entries using the sepcified filter (not set by default) # def open(path, options = {}) - b = parse(Kernel.open(path, 'r:UTF-8').read, options) + b = parse(File.read(path), options) b.path = path return b unless block_given?
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c5r5-7pfh-6qg6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10780ghsaADVISORY
- github.com/inukshuk/bibtex-ruby/commit/14406f4460f4e1ecabd25ca94f809b3ea7c5fb11ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bibtex-ruby/CVE-2019-10780.ymlghsaWEB
- snyk.io/vuln/SNYK-RUBY-BIBTEXRUBY-542602ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.