CVE-2021-28966
Description
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path to TmpDir, potentially creating files in unintended directories.
Vulnerability
A path traversal vulnerability exists in Ruby's tmpdir library through version 3.0 on Windows. The Dir.mktmpdir method, when handling parameters, does not sufficiently sanitize user-supplied prefix/suffix strings, allowing a remote attacker to pass a crafted path containing directory traversal sequences (e.g., ..\\). This affects applications that pass untrusted user input as the prefix or suffix argument to Dir.mktmpdir. The issue is documented in references [1] and [3].
Exploitation
An attacker must be able to supply a string that is used as the prefix or suffix argument to Dir.mktmpdir. This typically occurs in web applications that handle file uploads or create temporary directories based on user-controlled parameters. A remote attacker can submit a parameter with path traversal characters (e.g., ../../malicious) to force the temporary directory to be created outside the intended location. No authentication is required beyond access to the vulnerable parameter. The exploit sequence is: the attacker sends a crafted request with a malicious prefix/suffix, the application calls Dir.mktmpdir with that input, and the directory is created at an attacker-controlled path [1].
Impact
Successful exploitation allows an attacker to create a directory at an arbitrary location on the filesystem. This can lead to unauthorized file writes or overwriting of existing files, potentially enabling privilege escalation, denial of service, or arbitrary code execution depending on where the directory is created and how it is used by the application. The confidentiality, integrity, and availability of the system may be compromised [1].
Mitigation
A fix was merged into the ruby/tmpdir repository on April 5, 2021, with commit 93798c0, which tightened character restrictions to only allow alphanumeric and filesystem-safe punctuation [2]. Users should update to a version of Ruby that includes this patch, or directly update the tmpdir gem to a version containing the fix. The Ruby advisory database [3] provides details on the vulnerable versions (Ruby through 3.0 on Windows). As of the publication date (2021-07-27), no official Ruby patch release is announced; users should monitor for updates.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tmpdirRubyGems | < 0.1.2 | 0.1.2 |
Affected products
4- Ruby/Rubydescription
- osv-coords3 versions
< 2.7.3+ 2 more
- (no CPE)range: < 2.7.3
- (no CPE)range: < 2.7.3
- (no CPE)range: < 0.1.2
Patches
193798c01cb7cMerge pull request #8 from nobu/h1-1131465
2 files changed · +5 −3
lib/tmpdir.rb+1 −1 modified@@ -115,7 +115,7 @@ def tmpdir Dir.tmpdir end - UNUSABLE_CHARS = [File::SEPARATOR, File::ALT_SEPARATOR, File::PATH_SEPARATOR, ":"].uniq.join("").freeze + UNUSABLE_CHARS = "^,-.0-9A-Z_a-z~" class << (RANDOM = Random.new) MAX = 36**6 # < 0x100000000
test/test_tmpdir.rb+4 −2 modified@@ -97,8 +97,10 @@ def assert_mktmpdir_traversal target = target.chomp('/') + '/' traversal_path = target.sub(/\A\w:/, '') # for DOSISH traversal_path = Array.new(target.count('/')-2, '..').join('/') + traversal_path - actual = yield traversal_path - assert_not_send([File.absolute_path(actual), :start_with?, target]) + [File::SEPARATOR, File::ALT_SEPARATOR].compact.each do |separator| + actual = yield traversal_path.tr('/', separator) + assert_not_send([File.absolute_path(actual), :start_with?, target]) + end end end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-46f2-3v63-3xrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-28966ghsaADVISORY
- github.com/ruby/tmpdir/commit/93798c01cb7c10476e50a4d80130a329ba47f348ghsaWEB
- github.com/ruby/tmpdir/pull/8ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/tmpdir/CVE-2021-28966.ymlghsaWEB
- hackerone.com/reports/1131465ghsax_refsource_MISCWEB
- rubygems.org/gems/tmpdirghsaWEB
- security.netapp.com/advisory/ntap-20210902-0004ghsaWEB
- security.netapp.com/advisory/ntap-20210902-0004/mitrex_refsource_CONFIRM
- www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966ghsaWEB
News mentions
0No linked articles in our index yet.