Command injection in discordrb
Description
discordrb prior to commit 91e13043ffa contains a command injection vulnerability in encoder.rb, allowing arbitrary shell command execution via user-controlled file input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
discordrb prior to commit 91e13043ffa contains a command injection vulnerability in encoder.rb, allowing arbitrary shell command execution via user-controlled file input.
Vulnerability
Overview
The discordrb library, an implementation of the Discord API in Ruby, contains a command injection vulnerability in its encoder.rb file. The encode_file method constructs a shell command string by directly interpolating the file parameter into a string that is passed to IO.popen [4]. This unsafe string construction allows an attacker to inject arbitrary shell commands if they can control the file argument passed to the vulnerable method [1][2]. The root cause is the lack of proper sanitization or use of an array-based command execution approach, which would prevent injection [4].
Exploitation
Conditions
This vulnerability is not directly exploitable by default; it requires that a client application call the encode_file method with untrusted user input [2]. If user-controlled data reaches the file parameter, an attacker can craft input such as backtick-enclosed commands or other shell metacharacters to achieve injection [4]. A proof of concept demonstrates that passing a string like \touch pwned\`` results in execution of the injected command [4]. The attack surface thus depends on how the library is used in downstream applications.
Impact
Successful exploitation allows an attacker to execute arbitrary shell commands on the host machine running the discordrb process [2]. The full impact is constrained by the permissions of the running process; it is unlikely to result in total system compromise unless the process runs with elevated privileges [2]. Nevertheless, remote code execution (RCE) is achievable, enabling actions like file manipulation, data exfiltration, or further lateral movement within the compromised environment [4].
Mitigation
Status
The issue has been addressed in code via commit 91e13043ffa, but as of the publication date, no new release of the discordrb gem has been published to rubygems [2][4]. Users are advised to apply the patch manually from the repository or to avoid passing untrusted input to the encode_file method until an updated gem is available [3]. The vulnerability is tracked as GHSL-2022-094 and is listed in the GitHub Security Lab advisories [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
discordrbRubyGems | < 3.4.3 | 3.4.3 |
Affected products
2- shardlab/discordrbv5Range: <= 3.4.1
Patches
191e13043ffa8fix: switch popen to use an array invocation
1 file changed · +13 −4
lib/discordrb/voice/encoder.rb+13 −4 modified@@ -77,7 +77,7 @@ def adjust_volume(buf, mult) # @param options [String] ffmpeg options to pass after the -i flag # @return [IO] the audio, encoded as s16le PCM def encode_file(file, options = '') - command = "#{ffmpeg_command} -loglevel 0 -i \"#{file}\" #{options} -f s16le -ar 48000 -ac 2 #{filter_volume_argument} pipe:1" + command = ffmpeg_command(input: file, options: options) IO.popen(command) end @@ -87,14 +87,23 @@ def encode_file(file, options = '') # @param options [String] ffmpeg options to pass after the -i flag # @return [IO] the audio, encoded as s16le PCM def encode_io(io, options = '') - command = "#{ffmpeg_command} -loglevel 0 -i - #{options} -f s16le -ar 48000 -ac 2 #{filter_volume_argument} pipe:1" + command = ffmpeg_command(options: options) IO.popen(command, in: io) end private - def ffmpeg_command - @use_avconv ? 'avconv' : 'ffmpeg' + def ffmpeg_command(input: '-', options: null) + [ + @use_avconv ? 'avconv' : 'ffmpeg', + '-loglevel', '0', + '-i', input, + '-f', 's16le', + '-ar', '48000', + '-ac', '2', + 'pipe:1', + filter_volume_argument, + ].concat(options.split).reject {|segment| segment.nil? || segment == '' } end def filter_volume_argument
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8832-4mm5-x2r6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28102ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2022-094_discordrbghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/discordrb/CVE-2023-28102.ymlghsaWEB
- github.com/shardlab/discordrb/commit/91e13043ffa89227c3fcdc3408f06da237d28c95ghsax_refsource_MISCWEB
- securitylab.github.com/advisoriesghsaWEB
- securitylab.github.com/advisories/GHSL-2022-094_discordrb/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.