CVE-2020-14001
Description
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In kramdown before 2.3.0, the template option is processed from within a Markdown document by default, allowing file read or Ruby code execution.
Vulnerability
Description
The kramdown gem for Ruby, versions prior to 2.3.0, processes the template option from within the Markdown document itself by default [1]. This means that a Markdown document can contain YAML front matter or inline options that specify a template value, and kramdown will interpret this option when converting the document. The vulnerability arises because the template option can be set to arbitrary file paths or to a specially crafted string that leads to embedded Ruby code execution, as noted in the official description [2].
Exploitation
An attacker can craft a Markdown document that includes a template option targeting a sensitive file, such as template="/etc/passwd", which would result in the file contents being read and potentially included in the output [2]. Alternatively, by setting template to a string beginning with template="string://<%= the attacker can execute arbitrary embedded Ruby code within the context of the kramdown conversion process [2]. The attack requires no authentication if the attacker can supply a Markdown document that is processed by kramdown—this naturally includes scenarios like comment systems, wikis, or static site generators where user-provided Markdown is rendered.
Impact
Successful exploitation allows an attacker to read arbitrary files on the server (information disclosure) or execute arbitrary Ruby code in the context of the application user [2]. This can lead to full compromise of the web application, data exfiltration, or lateral movement within the infrastructure. The vulnerability is especially critical because kramdown is widely used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum [2], exposing a broad attack surface.
Mitigation
The vulnerability was fixed in kramdown version 2.3.0 [1][3]. Users should upgrade to at least version 2.3.0 to prevent exploitation. No workaround is provided by the vendor for earlier versions [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kramdownRubyGems | < 2.3.0 | 2.3.0 |
Affected products
11- Ruby/kramdown gemdescription
- ghsa-coords10 versionspkg:gem/kramdownpkg:rpm/opensuse/ruby3.2-rubygem-kramdown&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-kramdown&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-kramdown&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-kramdown&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-kramdown&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-kramdown&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-kramdown&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-kramdown&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-kramdown&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4
< 2.3.0+ 9 more
- (no CPE)range: < 2.3.0
- (no CPE)range: < 2.4.0-1.8
- (no CPE)range: < 1.15.0-150000.3.3.1
- (no CPE)range: < 1.15.0-150000.3.3.1
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 1.15.0-150000.3.3.1
- (no CPE)range: < 1.15.0-150000.3.3.1
- (no CPE)range: < 1.15.0-150000.3.3.1
- (no CPE)range: < 1.15.0-150000.3.3.1
- (no CPE)range: < 1.15.0-150000.3.3.1
Patches
11b8fd33c3120Add option forbidden_inline_options
3 files changed · +18 −0
lib/kramdown/options.rb+10 −0 modified@@ -589,6 +589,16 @@ def self.simple_hash_validator(val, name) Used by: HTML converter EOF + define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val| + Defines the options that may not be set using the {::options} extension + + Default: template + Used by: HTML converter + EOF + val.map! {|item| item.kind_of?(String) ? str_to_sym(item) : item } + simple_array_validator(val, :forbidden_inline_options) + end + end end
lib/kramdown/parser/kramdown/extensions.rb+6 −0 modified@@ -110,6 +110,12 @@ def handle_extension(name, opts, body, type, line_no = nil) opts.select do |k, v| k = k.to_sym if Kramdown::Options.defined?(k) + if @options[:forbidden_inline_options].include?(k) || + k == :forbidden_inline_options + warning("Option #{k} may not be set inline") + next false + end + begin val = Kramdown::Options.parse(k, v) @options[k] = val
test/testcases/block/12_extension/options.text+2 −0 modified@@ -19,3 +19,5 @@ some <span>*para*</span> Some text[^ab]. [^ab]: Some text. + +{::options template="/etc/passwd" /}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- github.com/advisories/GHSA-mqm2-cgpr-p4m6ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-14001ghsaADVISORY
- usn.ubuntu.com/4562-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4743ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fdeghsax_refsource_CONFIRMWEB
- github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/kramdown/CVE-2020-14001.ymlghsaWEB
- kramdown.gettalong.orgghsax_refsource_MISCWEB
- kramdown.gettalong.org/news.htmlghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2@%3Cnotifications.fluo.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/08/msg00014.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4LghsaWEB
- rubygems.org/gems/kramdownghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20200731-0004ghsaWEB
- security.netapp.com/advisory/ntap-20200731-0004/mitrex_refsource_CONFIRM
- usn.ubuntu.com/4562-1ghsaWEB
News mentions
0No linked articles in our index yet.