Posted by k0kubun on 21 Apr 2026
We published security advisory for CVE-2026-41316.
CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class
A deserialization vulnerability exists in ERB. This vulnerability has been assigned the CVE identifier CVE-2026-41316. We recommend upgrading the erb gem.
Scope
Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes:
- Ruby on Rails applications that import untrusted serialized data – any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
- Ruby tools that import untrusted serialized data – any tool using
Marshal.loadfor caching, data import, or IPC - Legacy Rails apps (pre-7.0) that still use Marshal for cookie session serialization
Details
ERB implements an @_init guard to prevent code execution when ERB objects are reconstructed via Marshal.load on untrusted data. However, ERB#def_method, ERB#def_module, and ERB#def_class evaluate the template source without checking this guard, allowing an attacker who controls the data passed to Marshal.load to bypass the protection and execute arbitrary code. In particular, def_module takes no arguments, making it straightforward to invoke as part of a deserialization gadget chain.
Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later.
Affected versions
- erb gem 6.0.3 or lower
Credits
Thanks to TristanInSec for discovering this issue.
History
- Originally published at 2026-04-21 07:51:00 (UTC)
0 Comments
Log in to join the conversation.No comments yet. Be the first to share your thoughts.