CVE-2015-4410: Moped Rubygem Data Injection Vulnerability
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83986%
CWE
Published
8/19/2020
Updated
8/25/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moped | rubygems | < 1.5.3 | 1.5.3 |
moped | rubygems | >= 2.0.0, < 2.0.5 | 2.0.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the Moped::BSON::ObjectId.legal?
method's regex validation. The original implementation used /^[0-9a-f]{24}$/i
, which does not properly anchor the entire string in Ruby (due to ^/$ matching line boundaries). The commit dd5a7c14b5d2e466f7875d079af71ad19774609b fixed this by replacing ^/$ with \A/\z. This flaw allowed inputs with trailing newlines or multi-line data to pass validation, enabling resource consumption (DoS) or BSON injection. The GitHub advisory, CVE description, and supporting technical analysis (e.g., Sakurity blog) explicitly identify this function as the root cause.