{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rails/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41316"}],"_cs_exploited":false,"_cs_products":["ERB"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","ruby","rails"],"_cs_type":"advisory","_cs_vendors":["RubyGems"],"content_html":"\u003cp\u003eRuby versions before ERB 2.2.0 implemented an \u003ccode\u003e@_init\u003c/code\u003e instance variable guard in \u003ccode\u003eERB#result\u003c/code\u003e and \u003ccode\u003eERB#run\u003c/code\u003e to prevent code execution upon deserialization via \u003ccode\u003eMarshal.load\u003c/code\u003e. This guard is intended to block execution when an ERB object is reconstructed from untrusted data. However, the methods \u003ccode\u003eERB#def_method\u003c/code\u003e, \u003ccode\u003eERB#def_module\u003c/code\u003e, and \u003ccode\u003eERB#def_class\u003c/code\u003e were not given the same protection, creating a bypass. An attacker capable of triggering \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data in a Ruby application with the \u003ccode\u003eerb\u003c/code\u003e gem loaded can exploit \u003ccode\u003eERB#def_module\u003c/code\u003e (using its zero-argument, default-parameter form) as a code execution sink. This bypass impacts Ruby on Rails applications that import untrusted serialized data, Ruby tools employing \u003ccode\u003eMarshal.load\u003c/code\u003e for caching or IPC, and legacy Rails applications (pre-7.0) utilizing Marshal for cookie session serialization. This bypass renders the \u003ccode\u003e@_init\u003c/code\u003e mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3. Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this enables a universal RCE gadget chain for Ruby 3.2+ applications using Rails. The vulnerability is identified as CVE-2026-41316.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Ruby object containing an \u003ccode\u003eERB\u003c/code\u003e instance and/or an \u003ccode\u003eActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB\u003c/code\u003e instance has its \u003ccode\u003e@src\u003c/code\u003e instance variable set to a string containing malicious code with the \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application calls \u003ccode\u003eMarshal.load\u003c/code\u003e on the crafted object, triggering deserialization.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the \u003ccode\u003eDeprecatedInstanceVariableProxy\u003c/code\u003e is instantiated (if used), which then invokes the \u003ccode\u003eERB#def_module\u003c/code\u003e method via \u003ccode\u003emethod_missing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB#def_module\u003c/code\u003e method calls \u003ccode\u003eERB#def_method\u003c/code\u003e without checking the \u003ccode\u003e@_init\u003c/code\u003e guard.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eERB#def_method\u003c/code\u003e, the malicious code in \u003ccode\u003e@src\u003c/code\u003e is wrapped in a method definition and evaluated via \u003ccode\u003emodule_eval\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload causes the \u003ccode\u003esystem('id')\u003c/code\u003e command to execute during the \u003ccode\u003emodule_eval\u003c/code\u003e call, bypassing the intended deserialization protection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the target system, gaining the ability to perform malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the target system. This affects Ruby applications, including Ruby on Rails, which use \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data. Specific impact includes potential compromise of web servers and the ability to read sensitive files, modify data, or install malware. Vulnerable applications include those using \u003ccode\u003eMarshal.load\u003c/code\u003e for caching, data import, or IPC, and legacy Rails applications (pre-7.0) using Marshal for cookie session serialization. This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade your erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 to patch the vulnerability as described in the \u0026ldquo;Patches\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eAvoid using \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data, as it is inherently unsafe. Consider using alternative serialization formats like JSON or YAML.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect ERB def_module Code Execution via Deserialization\u0026rdquo; Sigma rule to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-erb-deserialization/","summary":"A deserialization vulnerability exists in Ruby ERB versions before 4.0.3.1, version 4.0.4, ERB versions 5.0.0 before 6.0.1.1, and ERB versions 6.0.2 before 6.0.4. The `@_init` instance variable guard in `ERB#result` and `ERB#run` can be bypassed via `ERB#def_module`, `ERB#def_method`, and `ERB#def_class`, allowing arbitrary code execution when an ERB object is reconstructed via `Marshal.load` on untrusted data.","title":"ERB Deserialization Bypass via def_module/def_method/def_class","url":"https://feed.craftedsignal.io/briefs/2026-04-erb-deserialization/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rails","active-storage","dos","cve-2026-33174"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33174 is a denial-of-service vulnerability affecting Ruby on Rails applications that utilize Active Storage. Specifically, it impacts versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. The vulnerability stems from the way Active Storage handles file serving through its proxy delivery mode. When processing requests with large or unbounded Range headers (e.g., \u003ccode\u003ebytes=0-\u003c/code\u003e), the proxy controller incorrectly loads the entire requested byte range into memory before sending it to the client…\u003c/p\u003e\n","date_modified":"2026-03-24T00:16:28Z","date_published":"2026-03-24T00:16:28Z","id":"/briefs/2026-03-rails-dos/","summary":"A denial-of-service vulnerability (CVE-2026-33174) exists in Ruby on Rails Active Storage versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1 due to unbounded memory allocation when handling large or unbounded Range headers in proxy delivery mode.","title":"Ruby on Rails Active Storage DoS Vulnerability (CVE-2026-33174)","url":"https://feed.craftedsignal.io/briefs/2026-03-rails-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Rails","version":"https://jsonfeed.org/version/1.1"}