CVE-2024-35221

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions: RubyGems.org (affected versions not specified)

Description: The issue is related to how Ruby reads the Manifest of Gem files when using Gem::Specification.from yaml, which makes use of SafeYAML.load. This allows YAML aliases inside the YAML-based metadata of a gem, enabling Denial of Service attacks with so-called YAML-bombs, comparable to Billion laughs attacks. A Gem publisher can cause a Remote DoS when publishing a Gem. The issue was discovered by the GitHub security lab and has been patched.

Recommendations: Since the issue was patched and there is no action required by users, the recommendation is to ensure that the latest patched version is used. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

BDU:2024-05598

CVE-2024-35221

GHSA-4VC5-WHWR-7HH2

OESA-2024-1780

OESA-2024-1938

SUSE-SU-2025:02814-1

SUSE-SU-2025:02814-2

SUSE-SU-2025:4264-1

SUSE-SU-2025_02814-1

SUSE-SU-2025_02814-2

SUSE-SU-2025_4264-1

Affected Products

Rubygems.Org

Suse

CVE-2024-35221

Weakness Enumeration

Related Identifiers

Affected Products

References · 39