| Memory leak in gem decode logic can allow attacker to take down Rubygems.org application |
Uncontrolled Resource Consumption |
mclaren650sspider |
Medium |
2026-04-09 |
| Server-side ReDoS via user-controlled regex in OIDC Access Policy |
Uncontrolled Resource Consumption |
6b_jjj |
No rating |
2026-03-26 |
| `/names.nsf` and all `/names*` files route to public API on rubygems.org |
Improper Access Control - Generic |
jagat-singh |
None |
2025-05-03 |
| Host Header Attac |
None supplied |
n_ob_o_dy |
Medium |
2025-02-08 |
| Bundler's RCE with response using Marshal |
Deserialization of Untrusted Data |
ooooooo_q |
No rating |
2024-03-12 |
| Possibility to guess email address from gravatar image URL |
Inadequate Encryption Strength |
ooooooo_q |
Low |
2023-09-14 |
| Dependency repository hijacking aka Repo Jacking from GitHub repo rubygems/bundler-site & rubygems/bundler.github.io + bundler.io docs |
Open Redirect |
akincibor |
Medium |
2021-12-19 |
| Malware in `active-support` gem |
Command Injection - Generic |
reed |
Critical |
2018-08-09 |
| Gem signature forgery |
Cryptographic Issues - Generic |
plover |
Medium |
2018-08-03 |
| Installer can modify other gems if gem name is specially crafted |
Path Traversal |
nmalkin |
Medium |
2018-03-22 |
| Negative size in tar header causes infinite loop |
Denial of Service |
plover |
Low |
2018-03-01 |
| [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec |
Cross-site Scripting (XSS) - Stored |
ysx |
Medium |
2018-02-22 |
| RCE,SQL,Vulnerability + Exploit Method. |
Command Injection - Generic |
exploit_in |
No rating |
2018-02-09 |
| Host Header Injection/Redirection |
Violation of Secure Design Principles |
gorkhali |
None |
2018-02-09 |
| Host header Injection rubygems.org |
Open Redirect |
bugs3ra |
Low |
2018-02-09 |
| Remote code execution on rubygems.org |
Deserialization of Untrusted Data |
max |
Critical |
2017-11-09 |
| No limit of summary length allows Denail of Service |
Denial of Service |
mame |
High |
2017-09-01 |
| Installing a crafted gem package may create or overwrite files |
Path Traversal |
mame |
High |
2017-09-01 |
| Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier |
Code Injection |
claudijd |
High |
2017-08-31 |
| Escape sequence injection in "summary" field |
Command Injection - Generic |
mame |
Low |
2017-08-31 |
| Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly |
None supplied |
ahsan |
None |
2017-03-06 |
| Login credentials transmitted in cleartext on index.rubygems.org |
Violation of Secure Design Principles |
eterm |
No rating |
2016-10-17 |
| Invalid username updating |
None supplied |
ghjfgjggfdfhfgsdfssdf |
No rating |
2016-10-17 |
| Password Reset emails missing TLS leads account takeover |
Improper Authentication - Generic |
c0rte |
No rating |
2016-10-04 |
| Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier |
None supplied |
claudijd |
No rating |
2015-05-14 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles