Описание
CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement
There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.
Details
The regular expression used in CGI::Util#escapeElement is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.
This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Credits
Thanks to svalkanov for discovering this issue. Also thanks to nobu for fixing this vulnerability.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-27220
- https://github.com/ruby/cgi/pull/52
- https://github.com/ruby/cgi/pull/53
- https://github.com/ruby/cgi/pull/54
- https://hackerone.com/reports/2890322
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml
- https://www.cve.org/CVERecord?id=CVE-2025-27220
- https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
Пакеты
cgi
< 0.3.5.1
0.3.5.1
cgi
= 0.3.6
0.3.7
cgi
>= 0.4.0, < 0.4.2
0.4.2
Связанные уязвимости
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of S ...