Critical severity9.8GHSA Advisory· Published May 14, 2024· Updated Apr 15, 2026
CVE-2024-27280
CVE-2024-27280
Description
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
stringioRubyGems | < 3.0.1.1 | 3.0.1.1 |
Affected products
62- osv-coords61 versionspkg:apk/chainguard/ruby-3.0pkg:apk/chainguard/ruby-3.0-devpkg:apk/chainguard/ruby-3.0-docpkg:apk/chainguard/ruby-3.1pkg:apk/chainguard/ruby-3.1-basepkg:apk/chainguard/ruby-3.1-base-devpkg:apk/chainguard/ruby-3.1-devpkg:apk/chainguard/ruby-3.1-docpkg:apk/wolfi/ruby-3.0pkg:apk/wolfi/ruby-3.0-devpkg:apk/wolfi/ruby-3.0-docpkg:apk/wolfi/ruby-3.1pkg:apk/wolfi/ruby-3.1-basepkg:apk/wolfi/ruby-3.1-base-devpkg:apk/wolfi/ruby-3.1-devpkg:apk/wolfi/ruby-3.1-docpkg:gem/stringiopkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby-bundled-gemspkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-bundler-docpkg:rpm/almalinux/rubygem-did_you_meanpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-net-telnetpkg:rpm/almalinux/rubygem-opensslpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-raccpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rbspkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygem-rexmlpkg:rpm/almalinux/rubygem-rsspkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-typeprofpkg:rpm/almalinux/rubygem-xmlrpcpkg:rpm/almalinux/ruby-irbpkg:rpm/almalinux/ruby-libspkg:rpm/rocky-linux/ruby?distro=rocky-linux-8&epoch=0pkg:rpm/rocky-linux/rubygem-abrt?distro=rocky-linux-8&epoch=0pkg:rpm/rocky-linux/rubygem-mysql2?distro=rocky-linux-8&epoch=0pkg:rpm/rocky-linux/rubygem-pg?distro=rocky-linux-8&epoch=0
< 3.0.6-r5+ 60 more
- (no CPE)range: < 3.0.6-r5
- (no CPE)range: < 3.0.6-r5
- (no CPE)range: < 3.0.6-r5
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.0.6-r5
- (no CPE)range: < 3.0.6-r5
- (no CPE)range: < 3.0.6-r5
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.1.4-r6
- (no CPE)range: < 3.0.1.1
- (no CPE)range: < 3.0.7-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.1.5-143.module_el8.10.0+3854+02eaa59a
- (no CPE)range: < 3.0.7-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.0.7-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.0.7-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.0.0-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 4.3.0-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 4.3.0-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 2.2.33-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 1.16.1-4.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 1.2.0-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 0.5.7-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 1.3.5-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 2.5.1-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 5.14.2-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 2.5.1-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 2.5.1-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 0.5.3-2.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0.5.3-2.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0.1.1-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 2.1.2-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 1.2.3-1.module_el8.5.0+2595+0c654ebc
- (no CPE)range: < 1.2.3-1.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 1.2.1-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.3.2-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 1.7.3-2.module_el8.10.0+3855+767cb125
- (no CPE)range: < 13.0.3-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 1.4.0-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 6.3.4.1-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.2.5-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0.2.9-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.2.33-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.2.33-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 3.3.7-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0.15.2-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0.3.0-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 2.5.9-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 3.0.7-143.module_el8.10.0+3852+ce828b19
- (no CPE)range: < 0:3.1.5-143.module+el8.10.0+1826+b62220b4
- (no CPE)range: < 0:0.4.0-1.module+el8.10.0+1679+61871737
- (no CPE)range: < 0:0.5.3-3.module+el8.10.0+1744+6c504228
- (no CPE)range: < 0:1.3.2-1.module+el8.10.0+1741+bdb5b6ca
Patches
Vulnerability mechanics
References
18- github.com/advisories/GHSA-v5h6-c2hv-hv3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27280ghsaADVISORY
- seclists.org/fulldisclosure/2025/Sep/53nvdWEB
- seclists.org/fulldisclosure/2025/Sep/54nvdWEB
- seclists.org/fulldisclosure/2025/Sep/55nvdWEB
- github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233ghsaWEB
- github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.ymlghsaWEB
- hackerone.com/reports/1399856nvdWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlnvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5NghsaWEB
- security.netapp.com/advisory/ntap-20250502-0003ghsaWEB
- www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/nvd
- security.netapp.com/advisory/ntap-20250502-0003/nvd
- www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/nvd
News mentions
0No linked articles in our index yet.