Medium severity5.3NVD Advisory· Published Jan 9, 2025· Updated Apr 15, 2026
CVE-2023-27531
CVE-2023-27531
Description
There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kredisRubyGems | < 1.3.0.1 | 1.3.0.1 |
Patches
1d576b7ae5c8dFix possible deserialization of untrusted data
2 files changed · +4 −1
lib/kredis/type/json.rb+1 −1 modified@@ -8,7 +8,7 @@ def type end def cast_value(value) - JSON.load(value) + JSON.parse(value) end def serialize(value)
test/types/scalar_test.rb+3 −0 modified@@ -60,6 +60,9 @@ class ScalarTest < ActiveSupport::TestCase json = Kredis.json "myscalar" json.value = { "one" => 1, "string" => "hello" } assert_equal({ "one" => 1, "string" => "hello" }, json.value) + + json.value = {"json_class"=>"String", "raw"=>[97, 98, 99]} + assert_equal({"json_class"=>"String", "raw"=>[97, 98, 99]}, json.value) end test "invalid type" do
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-h2wm-p2vg-6pw4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27531ghsaADVISORY
- discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467nvdWEB
- discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467ghsaWEB
- github.com/rails/kredis/commit/d576b7ae5c8d3d74eeb4bd84cad0aa64ffc299faghsaWEB
- github.com/rails/kredis/releases/tag/v1.3.0.1ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/kredis/CVE-2023-27531.ymlghsaWEB
News mentions
0No linked articles in our index yet.