← Back to CVE List

CVE-2024-35221

Published: 2024-05-29T21:15Z
Last Modified: 2024-11-21T09:19Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt