Intel

AIKIDO-2026-433182

rubygems-update is vulnerable to Improper Input Validation

Improper Input Validation Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

58

Medium Risk

This Affects:

RUBYrubygems-update
2.2.0 - 4.0.13
Fixed in 4.0.14
Are you affected? Scan for Free

TL;DR

rubygems' gem installer was vulnerable to malicious executable/bin names being embedded into generated Ruby wrapper code, enabling Ruby code injection (leading to RCE) and also to bindir/executable path manipulation via insufficient validation. The patch escapes embedded filename characters and adds strict validation that bindir stays within the gem directory and executables are safe basenames. Bundler also includes a fix for cooldown filtering that could break dependency resolution (DoS), plus improved terminal/control-character sanitization.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

rubygems-update is vulnerable to Improper Input Validation in versions 2.2.0 - 4.0.13.

How to fix this

Upgrade the rubygems-update library to the patch version.