{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/erb/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41316"}],"_cs_exploited":false,"_cs_products":["ERB"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","ruby","rails"],"_cs_type":"advisory","_cs_vendors":["RubyGems"],"content_html":"\u003cp\u003eRuby versions before ERB 2.2.0 implemented an \u003ccode\u003e@_init\u003c/code\u003e instance variable guard in \u003ccode\u003eERB#result\u003c/code\u003e and \u003ccode\u003eERB#run\u003c/code\u003e to prevent code execution upon deserialization via \u003ccode\u003eMarshal.load\u003c/code\u003e. This guard is intended to block execution when an ERB object is reconstructed from untrusted data. However, the methods \u003ccode\u003eERB#def_method\u003c/code\u003e, \u003ccode\u003eERB#def_module\u003c/code\u003e, and \u003ccode\u003eERB#def_class\u003c/code\u003e were not given the same protection, creating a bypass. An attacker capable of triggering \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data in a Ruby application with the \u003ccode\u003eerb\u003c/code\u003e gem loaded can exploit \u003ccode\u003eERB#def_module\u003c/code\u003e (using its zero-argument, default-parameter form) as a code execution sink. This bypass impacts Ruby on Rails applications that import untrusted serialized data, Ruby tools employing \u003ccode\u003eMarshal.load\u003c/code\u003e for caching or IPC, and legacy Rails applications (pre-7.0) utilizing Marshal for cookie session serialization. This bypass renders the \u003ccode\u003e@_init\u003c/code\u003e mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3. Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this enables a universal RCE gadget chain for Ruby 3.2+ applications using Rails. The vulnerability is identified as CVE-2026-41316.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Ruby object containing an \u003ccode\u003eERB\u003c/code\u003e instance and/or an \u003ccode\u003eActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB\u003c/code\u003e instance has its \u003ccode\u003e@src\u003c/code\u003e instance variable set to a string containing malicious code with the \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application calls \u003ccode\u003eMarshal.load\u003c/code\u003e on the crafted object, triggering deserialization.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the \u003ccode\u003eDeprecatedInstanceVariableProxy\u003c/code\u003e is instantiated (if used), which then invokes the \u003ccode\u003eERB#def_module\u003c/code\u003e method via \u003ccode\u003emethod_missing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB#def_module\u003c/code\u003e method calls \u003ccode\u003eERB#def_method\u003c/code\u003e without checking the \u003ccode\u003e@_init\u003c/code\u003e guard.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eERB#def_method\u003c/code\u003e, the malicious code in \u003ccode\u003e@src\u003c/code\u003e is wrapped in a method definition and evaluated via \u003ccode\u003emodule_eval\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload causes the \u003ccode\u003esystem('id')\u003c/code\u003e command to execute during the \u003ccode\u003emodule_eval\u003c/code\u003e call, bypassing the intended deserialization protection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the target system, gaining the ability to perform malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the target system. This affects Ruby applications, including Ruby on Rails, which use \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data. Specific impact includes potential compromise of web servers and the ability to read sensitive files, modify data, or install malware. Vulnerable applications include those using \u003ccode\u003eMarshal.load\u003c/code\u003e for caching, data import, or IPC, and legacy Rails applications (pre-7.0) using Marshal for cookie session serialization. This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade your erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 to patch the vulnerability as described in the \u0026ldquo;Patches\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eAvoid using \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data, as it is inherently unsafe. Consider using alternative serialization formats like JSON or YAML.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect ERB def_module Code Execution via Deserialization\u0026rdquo; Sigma rule to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-erb-deserialization/","summary":"A deserialization vulnerability exists in Ruby ERB versions before 4.0.3.1, version 4.0.4, ERB versions 5.0.0 before 6.0.1.1, and ERB versions 6.0.2 before 6.0.4. The `@_init` instance variable guard in `ERB#result` and `ERB#run` can be bypassed via `ERB#def_module`, `ERB#def_method`, and `ERB#def_class`, allowing arbitrary code execution when an ERB object is reconstructed via `Marshal.load` on untrusted data.","title":"ERB Deserialization Bypass via def_module/def_method/def_class","url":"https://feed.craftedsignal.io/briefs/2026-04-erb-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — ERB","version":"https://jsonfeed.org/version/1.1"}