A survey of recent RubyGems CVEs

RubyGems, like any sufficiently-used piece of software, has its fair share of bugs. Being a package manager (and gem host), many of those bugs turn out to have security implications. Let’s take a tour of recent RubyGems & RubyGems.org vulnerabilities, and learn how we’re keeping the ecosystem safe.

Marshal, insufficient input validation, symlink traversal, oh my! Over the past couple of years, there’s been a slow trickle of CVEs announced, covering both RubyGems & RubyGems.org. Let’s go on a quick tour of those vulnerabilities, covering their lifecycle from discovery to mitigation to announcement. We’ll dive into some patterns that have started to emerge, and discuss the steps the RubyGems team is taking to keep the Ruby ecosystem secure in an increasingly adversarial world.

Bio

Samuel is the Security Engineer in Residence at Ruby Central, leading security efforts across RubyGems and RubyGems.org by day (and sometimes by night, CVEs never sleep). He’s been working on Ruby tooling for the past decade, and has shipped hundreds of bugs across RubyGems & Bundler.