Skip to content

Commit 741e24e

Browse files
k0kubunk0kubun
authored
Write up CVE-2026-41316 (#3916)
1 parent 984400b commit 741e24e

1 file changed

Lines changed: 41 additions & 0 deletions

File tree

en/news/_posts/2026-04-21-erb-cve-2026-41316.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
layout: news_post
3+
title: "CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class"
4+
author: "k0kubun"
5+
translator:
6+
date: 2026-04-21 07:51:00 +0000
7+
tags: security
8+
lang: en
9+
---
10+
11+
We published security advisory for CVE-2026-41316.
12+
13+
## CVE-2026-41316: ERB @\_init deserialization guard bypass via def\_module / def\_method / def\_class
14+
15+
A deserialization vulnerability exists in ERB. This vulnerability has been assigned the CVE identifier [CVE-2026-41316](https://www.cve.org/CVERecord?id=CVE-2026-41316). We recommend upgrading the erb gem.
16+
17+
### Scope
18+
19+
Any Ruby application that calls `Marshal.load` on untrusted data AND has both `erb` and `activesupport` loaded is vulnerable to arbitrary code execution. This includes:
20+
21+
- **Ruby on Rails applications that import untrusted serialized data** -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
22+
- **Ruby tools that import untrusted serialized data** -- any tool using `Marshal.load` for caching, data import, or IPC
23+
- **Legacy Rails apps** (pre-7.0) that still use Marshal for cookie session serialization
24+
25+
### Details
26+
27+
ERB implements an `@_init` guard to prevent code execution when ERB objects are reconstructed via `Marshal.load` on untrusted data. However, `ERB#def_method`, `ERB#def_module`, and `ERB#def_class` evaluate the template source without checking this guard, allowing an attacker who controls the data passed to `Marshal.load` to bypass the protection and execute arbitrary code. In particular, `def_module` takes no arguments, making it straightforward to invoke as part of a deserialization gadget chain.
28+
29+
Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later.
30+
31+
### Affected versions
32+
33+
* erb gem 6.0.3 or lower
34+
35+
### Credits
36+
37+
Thanks to [TristanInSec](https://github.com/TristanInSec) for discovering this issue.
38+
39+
## History
40+
41+
* Originally published at 2026-04-21 07:51:00 (UTC)

0 commit comments

Comments
 (0)