Vinistock

**Name of the Vulnerable Software and Affected Versions** ruby-lsp versions prior to 0.10.2 ruby-lsp gem versions prior to 0.26.9 **Description** The `rubyLsp.branch` VS Code workspace setting was used in generating a Gemfile without proper sanitization, potentially allowing arbitrary Ruby code execution when opening a project with a malicious `.vscode/settings.json`. This impacts editors that automatically apply workspace settings upon opening and trusting the workspace. Ruby LSP operates under the assumption that workspace code is trusted, and opening an untrusted workspace could lead to the execution of dangerous code. The `branch` CLI argument and setting have been removed to address this. **Recommendations** Update to ruby-lsp extension version 0.10.2 or later. Update the ruby-lsp gem to version 0.26.9 or later.