CVE-2024-27281 Overview
An insecure deserialization vulnerability was discovered in RDoc versions 6.3.3 through 6.6.2, as distributed with Ruby 3.x through 3.3.0. When parsing .rdoc_options configuration files as YAML, the library fails to restrict the classes that can be restored during deserialization. This allows attackers to inject arbitrary Ruby objects, potentially leading to remote code execution. The vulnerability also affects the documentation cache loading mechanism, where a crafted cache file could similarly achieve code execution.
Critical Impact
Attackers who can place malicious .rdoc_options or cache files in a project directory can achieve remote code execution when RDoc processes these files. This affects Ruby development environments and CI/CD pipelines where RDoc generates documentation.
Affected Products
- RDoc 6.3.3 through 6.6.2
- Ruby 3.x through 3.3.0 (bundled RDoc)
- Ruby development environments using affected RDoc versions
Discovery Timeline
- 2024-03-21 - Ruby Security Announcement CVE-2024-27281 published
- 2024-05-14 - CVE CVE-2024-27281 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-27281
Vulnerability Analysis
This vulnerability stems from CWE-502: Deserialization of Untrusted Data. RDoc uses YAML for configuration parsing and documentation cache storage. The core issue is that YAML deserialization in Ruby can instantiate arbitrary classes when certain YAML tags are used. Without proper restrictions on allowed classes, an attacker can craft YAML payloads that instantiate dangerous objects, ultimately achieving code execution.
The attack requires local access and user interaction, as the victim must run RDoc in a directory containing the malicious configuration file. However, this scenario is common in development workflows where developers clone repositories and generate documentation. The vulnerability affects both the .rdoc_options configuration file and the documentation cache mechanism.
Root Cause
The root cause is the unrestricted deserialization of YAML content in RDoc's configuration and cache handling. Ruby's YAML parser (Psych) supports arbitrary object instantiation through special YAML tags. RDoc failed to implement safe loading practices that would restrict which classes can be deserialized. This is a classic insecure deserialization pattern where user-controllable input is passed to a deserializer without proper type restrictions.
Attack Vector
The attack vector is local, requiring an attacker to place a malicious .rdoc_options file or crafted cache file in a location where RDoc will process it. Practical attack scenarios include:
Supply Chain Attack: An attacker commits a malicious .rdoc_options file to a public repository. When developers clone the repository and run RDoc for documentation generation, the malicious payload executes.
Cache Poisoning: If an attacker can write to the RDoc cache directory, they can inject a crafted cache file that executes code when RDoc loads the cache.
CI/CD Pipeline Exploitation: Automated documentation builds that process untrusted repositories could execute malicious payloads embedded in configuration files.
The exploitation leverages Ruby's ability to instantiate objects during YAML deserialization. By crafting YAML with specific tags that reference classes with dangerous initialize or callback methods, attackers can achieve arbitrary code execution. For detailed technical analysis, see the HackerOne Report #1187477.
Detection Methods for CVE-2024-27281
Indicators of Compromise
- Presence of .rdoc_options files containing suspicious YAML tags such as !ruby/object:, !ruby/hash:, or !ruby/struct:
- Unexpected Ruby process spawning during documentation generation
- Unusual network connections or file system modifications during RDoc execution
- Modified or unexpected files in RDoc cache directories
Detection Strategies
- Implement file integrity monitoring on .rdoc_options files across development environments
- Audit Git repositories for suspicious YAML files containing Ruby object instantiation tags
- Monitor RDoc processes for unexpected child process creation or network activity
- Use static analysis tools to scan YAML files for potentially dangerous deserialization patterns
Monitoring Recommendations
- Enable logging for documentation generation processes in CI/CD pipelines
- Implement sandboxing for documentation build processes to limit impact of successful exploitation
- Review repository contents before running documentation tools on newly cloned projects
- Monitor for anomalous behavior during automated build processes
How to Mitigate CVE-2024-27281
Immediate Actions Required
- Update RDoc to version 6.6.3.1 or later immediately
- For Ruby 3.0 environments, update to RDoc 6.3.4.1
- For Ruby 3.1 environments, update to RDoc 6.4.1.1
- For Ruby 3.2 environments, update to RDoc 6.5.1.1
- Audit existing repositories for suspicious .rdoc_options files before running RDoc
Patch Information
The vulnerability has been fixed in RDoc 6.6.3.1 (main fix) with backports available for earlier Ruby versions. The fix implements safe YAML loading that restricts which classes can be instantiated during deserialization. Updates are available through standard Ruby gem channels and operating system package managers.
Linux distributions have released security updates:
Workarounds
- Avoid running RDoc on untrusted or unreviewed repositories
- Remove or audit .rdoc_options files from third-party repositories before documentation generation
- Run documentation generation in isolated, sandboxed environments with limited privileges
- Consider using alternative documentation tools until patching is complete
# Update RDoc to the fixed version
gem update rdoc
# Verify the installed version
gem list rdoc
# For bundler-managed projects, update Gemfile
bundle update rdoc
# Scan for suspicious .rdoc_options files
find /path/to/projects -name ".rdoc_options" -exec grep -l "!ruby/" {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
