Medium severity4.3NVD Advisory· Published May 29, 2024· Updated Apr 15, 2026
CVE-2024-35221
CVE-2024-35221
Description
Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called YAML-bombs (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
19- osv-coords17 versionspkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%20LTS%204.3pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%20LTS%204.3
< 2.5.9-150000.4.49.1+ 16 more
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150700.24.3.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
- (no CPE)range: < 2.5.9-150000.4.49.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.