CVE-2023-40165

Name of the Vulnerable Software and Affected Versions rubygems.org (affected versions not specified)

Description The issue is related to insufficient input validation in rubygems.org, the Ruby community's primary gem hosting service. This allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching /-d/, permanently replacing the legitimate upload in the canonical gem storage bucket and triggering an immediate CDN purge. The maintainers have checked all gems matching the /-d/ pattern and can confirm that no unexpected .gems were found, leading to the belief that this issue was not exploited. Users can verify the integrity of their downloaded gems by checking that the checksums match the ones recorded in the RubyGems.org database.

Recommendations No action is required on the part of the user, as the issue has been patched with improved input validation and the changes are live. However, users are advised to validate their local gems. To assist in the investigation, users can run bundle add bundler-integrity followed by bundle exec bundler-integrity to compare RubyGems API-provided checksums with the checksums of files on their disk.