High severityNVD Advisory· Published Jul 29, 2021· Updated Oct 15, 2024

CVE-2021-31799

Description

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RDoc 3.11 to 6.3.0 uses Kernel#open to process filenames; a filename starting with | and ending with tags can execute arbitrary commands when rdoc is run.

Vulnerability

In RDoc versions 3.11 through 6.3.0, the Kernel#open method is used to open local files [4]. If a filename begins with | and ends with tags, the command following the pipe character is executed [1][4]. This affects RDoc as distributed with Ruby up to 3.0.1 [1].

Exploitation

An attacker can create a Ruby project containing a file named in the format |command|tags. When a user runs rdoc on this project, RDoc processes the file and the injected command is executed [4]. No authentication or network access is required; only the ability to provide a malicious filename in the project directory.

Impact

Successful exploitation allows arbitrary command execution with the user's privileges [4]. This could lead to code execution, data theft, or further compromise of the system [1].

Mitigation

The vulnerability is fixed in RDoc 6.3.1 and in Ruby versions 3.0.2, 2.7.4, and 2.6.8 [4]. Users should update RDoc to the latest version or upgrade Ruby accordingly. No workarounds are available [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rdocRubyGems	>= 3.11, < 6.1.2.1	6.1.2.1
rdocRubyGems	>= 6.2.0, < 6.2.1.1	6.2.1.1
rdocRubyGems	>= 6.3.0, < 6.3.1	6.3.1

Affected products

RDoc/RDocdescription
ghsa-coords82 versions
pkg:gem/rdoc pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bson pkg:rpm/almalinux/rubygem-bson-doc pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-bundler-doc pkg:rpm/almalinux/rubygem-did_you_mean pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mongo pkg:rpm/almalinux/rubygem-mongo-doc pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-net-telnet pkg:rpm/almalinux/rubygem-openssl pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-xmlrpc pkg:rpm/almalinux/ruby-irb pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/ruby2.7&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.0&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.1&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.2&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.3&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.4&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby4.0&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Micro%205.0 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.1
>= 3.11, < 6.1.2.1+ 81 more
- (no CPE)range: >= 3.11, < 6.1.2.1
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.7.4-137.module_el8.5.0+117+35d1289b
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 0.4.0-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.4.0-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 2.0.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.16.1-4.module_el8.5.0+2625+ec418553
- (no CPE)range: < 1.3.0-108.module_el8.5.0+2623+08a8ba32
- (no CPE)range: < 0.5.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.2.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.3.0-137.module_el8.5.0+117+35d1289b
- (no CPE)range: < 5.13.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 0.2.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.1.2-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.1.7-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 13.0.1-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 6.2.1.1-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.3.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 0.3.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.5.9-109.module_el8.5.0+259+8cec6917
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.5.9-lp152.2.9.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.7.4-1.1
- (no CPE)range: < 3.0.2-1.1
- (no CPE)range: < 3.1.0-1.1
- (no CPE)range: < 3.2.1-1.1
- (no CPE)range: < 3.3.0-1.2
- (no CPE)range: < 3.4.1-1.1
- (no CPE)range: < 4.0.0~preview2-1.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-4.20.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1

Patches

a7f5d6ab8863

Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799

https://github.com/ruby/rdocaycabtaMay 2, 2021via ghsa

commit

2 files changed · +13 −1

lib/rdoc/rdoc.rb+1 −1 modified

@@ -443,7 +443,7 @@ def remove_unparseable files
     files.reject do |file, *|
       file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
         (file =~ /tags$/i and
-         open(file, 'rb') { |io|
+         File.open(file, 'rb') { |io|
            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
          })
     end

test/rdoc/test_rdoc_rdoc.rb+12 −0 modified

@@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim
     end
   end
 
+  def test_remove_unparseable_CVE_2021_31799
+    temp_dir do
+      file_list = ['| touch evil.txt && echo tags']
+      file_list.each do |f|
+        FileUtils.touch f
+      end
+
+      assert_equal file_list, @rdoc.remove_unparseable(file_list)
+      assert_equal file_list, Dir.children('.')
+    end
+  end
+
   def test_setup_output_dir
     Dir.mktmpdir {|d|
       path = File.join d, 'testdir'

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-ggxm-pgc9-g7fpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-31799ghsaADVISORY
security.gentoo.org/glsa/202401-05ghsavendor-advisoryWEB
github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rdoc/CVE-2021-31799.ymlghsaWEB
lists.debian.org/debian-lts-announce/2021/10/msg00009.htmlghsamailing-listWEB
security-tracker.debian.org/tracker/CVE-2021-31799ghsaWEB
security.netapp.com/advisory/ntap-20210902-0004ghsaWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdocghsaWEB
security.netapp.com/advisory/ntap-20210902-0004/mitre
www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000