Moderate severityNVD Advisory· Published Sep 23, 2020· Updated Aug 4, 2024

CVE-2020-25739

Description

An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
gonRubyGems	< 6.4.0	6.4.0

Affected products

gon gem/gondescription
ghsa-coords
pkg:gem/gon
Range: < 6.4.0

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-78vq-9j56-wrfrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-25739ghsaADVISORY
usn.ubuntu.com/4560-1/mitrevendor-advisoryx_refsource_UBUNTU
github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7ghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/gon/CVE-2020-25739.ymlghsaWEB
lists.debian.org/debian-lts-announce/2020/09/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
usn.ubuntu.com/4560-1ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000