cgi 0.1.0
Cookie Prefix Spoofing in CGI::Cookie.parse
high severity CVE-2021-41819~> 0.1.0.1, ~> 0.1.1, ~> 0.2.1, >= 0.3.1
The old versions of CGI::Cookie.parse applied URL decoding to cookie names.
An attacker could exploit this vulnerability to spoof security prefixes in
cookie names, which may be able to trick a vulnerable application.
By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that
this is an incompatibility if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.
This is the same issue of CVE-2020-8184.
If you are using Ruby 2.7 or 3.0:
- Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You
can use
gem update cgito update it. If you are using bundler, please addgem "cgi", ">= 0.3.1"`` to yourGemfile`. - Alternatively, please update Ruby to 2.7.5 or 3.0.3.
If you are using Ruby 2.6:
- Please update Ruby to 2.6.9. You cannot use
gem update cgifor Ruby 2.6 or prior.
Buffer Overrun in CGI.escape_html
high severity CVE-2021-41816~> 0.1.0.1, ~> 0.1.1, ~> 0.2.1, >= 0.3.1
A security vulnerability that causes buffer overflow when you pass a very large
string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes,
typically, Windows.
Please update the cgi gem to version 0.3.1, 0.2.1, and 0.1.1 or later. You can use
gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please update Ruby to 2.7.5 or 3.0.3.
This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable.
HTTP response splitting in CGI
high severity CVE-2021-33621~> 0.1.0.2, ~> 0.2.2, >= 0.3.5
cgi.rb in Ruby through 2.6.x, through 3.0x, and through 3.1.x allows HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.
CVE-2025-27220 - ReDoS in CGI::Util#escapeElement.
medium severity CVE-2025-27220~> 0.3.5.1, ~> 0.3.7, >= 0.4.2
There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.
Details
The regular expression used in CGI::Util#escapeElement is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.
This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Credits
Thanks to svalkanov for discovering this issue. Also thanks to nobu for fixing this vulnerability.
CVE-2025-27219 - Denial of Service in CGI::Cookie.parse
medium severity CVE-2025-27219~> 0.3.5.1, ~> 0.3.7, >= 0.4.2
There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.
Details
CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.
Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Credits
Thanks to lio346 for discovering this issue. Also thanks to mame for fixing this vulnerability.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.