-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rubygems-update | rubygems | >= 2.0.0, < 2.6.14 | 2.6.14 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from unsafe use of YAML.load with untrusted input in multiple locations. The GitHub patch (510b163) explicitly replaces these YAML.load calls with Gem::SafeYAML.safe_load, which implements class/symbol whitelisting. The commit message and CVE description both identify YAML deserialization bypassing whitelists as the root cause. Each identified function directly handled gem metadata parsing without proper validation, making them clear exploitation vectors.