CVE-2021-41816
Description
CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in CGI.escape_html in Ruby before 2.7.5/3.0.3 leads to buffer overflow on platforms where size_t and long differ.
Vulnerability
CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3, as well as the CGI gem before 0.3.1, contains an integer overflow vulnerability [1]. On platforms where size_t and long have different byte sizes (e.g., Windows), a long string passed to CGI.escape_html can cause an integer overflow in the length calculation, resulting in a buffer overflow [2][3][4].
Exploitation
An attacker can provide a specially crafted long string to an application that uses CGI.escape_html. No special authentication is required if the application processes user-supplied input through this method. The overflow occurs during the internal buffer allocation when the computed length wraps around due to integer overflow [2][3][4].
Impact
Successful exploitation can lead to a buffer overflow, potentially allowing an attacker to corrupt memory and achieve arbitrary code execution or cause a denial of service. The impact depends on the context of the application using the vulnerable function [1].
Mitigation
The vulnerability is fixed in Ruby versions 2.7.5 and 3.0.3, and in CGI gem version 0.3.1 [1]. Users should upgrade to these versions or later. No workaround is available other than upgrading. The issue was reported via HackerOne [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cgiRubyGems | >= 0.3.0, < 0.3.1 | 0.3.1 |
cgiRubyGems | >= 0.2.0, < 0.2.1 | 0.2.1 |
cgiRubyGems | < 0.1.0.1 | 0.1.0.1 |
Affected products
15- Ruby/CGI.escape_htmldescription
- osv-coords14 versionspkg:apk/chainguard/ruby-3.0pkg:apk/chainguard/ruby-3.0-devpkg:apk/chainguard/ruby-3.0-docpkg:apk/wolfi/ruby-3.0pkg:apk/wolfi/ruby-3.0-devpkg:apk/wolfi/ruby-3.0-docpkg:gem/cgipkg:rpm/opensuse/ruby2.7&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.1&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby4.0&distro=openSUSE%20Tumbleweed
< 0+ 13 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 0.3.0, < 0.3.1
- (no CPE)range: < 2.7.5-1.1
- (no CPE)range: < 3.0.3-1.1
- (no CPE)range: < 3.1.0-1.1
- (no CPE)range: < 3.2.1-1.1
- (no CPE)range: < 3.3.0-1.2
- (no CPE)range: < 3.4.1-1.1
- (no CPE)range: < 4.0.0~preview2-1.1
Patches
4ad079c1cb5f5merge some parts of CGI 0.1.1
4 files changed · +8 −3
ext/cgi/escape/escape.c+2 −1 modified@@ -36,7 +36,8 @@ static VALUE optimized_escape_html(VALUE str) { VALUE vbuf; - char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN); + typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; + char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); const char *cstr = RSTRING_PTR(str); const char *end = cstr + RSTRING_LEN(str);
lib/cgi/cookie.rb+0 −1 modified@@ -159,7 +159,6 @@ def self.parse(raw_cookie) raw_cookie.split(/;\s?/).each do |pairs| name, values = pairs.split('=',2) next unless name and values - name = CGI.unescape(name) values ||= "" values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } if cookies.has_key?(name)
lib/cgi/version.rb+1 −1 modified@@ -1,3 +1,3 @@ class CGI - VERSION = "0.1.0" + VERSION = "0.1.0.1" end
test/cgi/test_cgi_cookie.rb+5 −0 modified@@ -101,6 +101,11 @@ def test_cgi_cookie_parse end end + def test_cgi_cookie_parse_not_decode_name + cookie_str = "%66oo=baz;foo=bar" + cookies = CGI::Cookie.parse(cookie_str) + assert_equal({"%66oo" => ["baz"], "foo" => ["bar"]}, cookies) + end def test_cgi_cookie_arrayinterface cookie = CGI::Cookie.new('name1', 'a', 'b', 'c')
1 file changed · +2 −1
ext/cgi/escape/escape.c+2 −1 modified@@ -38,7 +38,8 @@ static VALUE optimized_escape_html(VALUE str) { VALUE vbuf; - char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN); + typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; + char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); const char *cstr = RSTRING_PTR(str); const char *end = cstr + RSTRING_LEN(str);
1 file changed · +2 −1
ext/cgi/escape/escape.c+2 −1 modified@@ -36,7 +36,8 @@ static VALUE optimized_escape_html(VALUE str) { VALUE vbuf; - char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN); + typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; + char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); const char *cstr = RSTRING_PTR(str); const char *end = cstr + RSTRING_LEN(str);
1 file changed · +2 −1
ext/cgi/escape/escape.c+2 −1 modified@@ -36,7 +36,8 @@ static VALUE optimized_escape_html(VALUE str) { VALUE vbuf; - char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN); + typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; + char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); const char *cstr = RSTRING_PTR(str); const char *end = cstr + RSTRING_LEN(str);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
21- github.com/advisories/GHSA-5cqm-crxm-6qpvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-41816ghsaADVISORY
- security.gentoo.org/glsa/202401-27ghsavendor-advisoryWEB
- github.com/ruby/cgi/commit/959ccf0b6a672bcc64aeaa60c6e1f9e728f1e87fghsaWEB
- github.com/ruby/cgi/commit/ad079c1cb5f58eba1ffac46da79995fcf94a3a6eghsaWEB
- github.com/ruby/cgi/commit/c6a37a671b556eb06140ea89cc465136b24207a6ghsaWEB
- github.com/ruby/cgi/commit/c728632c1c09d46cfd4ecbff9caaa3651dd1002aghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-41816.ymlghsaWEB
- groups.google.com/g/ruby-security-ann/c/4MQ568ZG47cghsaWEB
- hackerone.com/reports/1328463ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZFghsaWEB
- security-tracker.debian.org/tracker/CVE-2021-41816ghsaWEB
- security.netapp.com/advisory/ntap-20220303-0006ghsaWEB
- www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816ghsaWEB
- security.netapp.com/advisory/ntap-20220303-0006/mitre
- www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/mitre
News mentions
0No linked articles in our index yet.