CVE-2019-10842
Description
Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A backdoor in bootstrap-sass 3.2.0.3 (published to RubyGems) allows unauthenticated remote code execution via a crafted ___cfduid cookie.
Vulnerability
Arbitrary code execution was discovered in the bootstrap-sass Ruby gem version 3.2.0.3, when downloaded from RubyGems.org [2]. The malicious package includes a backdoor that reads a cookie named ___cfduid (three underscores) and passes its base64-decoded value to eval(), enabling arbitrary code execution on the server [2][3]. This version was published only to RubyGems; no source code changes exist in the official GitHub repository [3].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending an HTTP request to a Rails application using the vulnerable gem, with a crafted ___cfduid cookie containing base64-encoded arbitrary code [2][3]. No authentication or prior access is required. The server-side code decodes the cookie and executes it via eval(), allowing immediate code execution [3].
Impact
Successful exploitation gives the attacker full remote code execution on the server running the Rails application [2][3]. This can lead to complete compromise of the application and underlying system, including data theft, service disruption, or further lateral movement [3].
Mitigation
The malicious version 3.2.0.3 should be immediately replaced with version 3.2.0.4, which was re-published without the backdoor [3]. Users are also advised to upgrade to any later secure version (e.g., 3.4.1) [1][3]. The vulnerability is not present in versions before 3.2.0.3 or after 3.2.0.3. The affected package is not present in the known exploited vulnerabilities catalog (KEV).
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bootstrap-sassRubyGems | >= 3.2.0.3, < 3.2.0.4 | 3.2.0.4 |
Affected products
2- Range: = 3.2.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-vqqv-v9m2-48p2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10842ghsaADVISORY
- dgb.github.io/2019/04/05/bootstrap-sass-backdoor.htmlmitrex_refsource_MISC
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2019-10842.ymlghsaWEB
- github.com/twbs/bootstrap-sass/issues/1195ghsax_refsource_MISCWEB
- snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gemghsaWEB
- snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/mitrex_refsource_MISC
- snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.