VYPR
Medium severity4.5GHSA Advisory· Published May 14, 2024· Updated Apr 15, 2026

CVE-2024-27281

CVE-2024-27281

Description

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rdocRubyGems
>= 6.3.3, < 6.3.4.16.3.4.1
rdocRubyGems
>= 6.4.0, < 6.4.1.16.4.1.1
rdocRubyGems
>= 6.5.0, < 6.5.1.16.5.1.1
rdocRubyGems
>= 6.6.0, < 6.6.3.16.6.3.1

Affected products

98

Patches

Vulnerability mechanics

References

19

News mentions

0

No linked articles in our index yet.