Regular Expression Denial of Service in Ruby's CGI Gem
CVE-2025-27220

7.5HIGH

Key Information:

Vendor: Ruby-lang
Status: Cgi
Vendor: CVE Published:; 4 March 2025

What is CVE-2025-27220?

A Regular Expression Denial of Service (ReDoS) vulnerability is present in the Util#escapeElement method within the CGI gem for Ruby versions prior to 0.4.2. This flaw can be exploited by an attacker to cause significant delays in processing requests, potentially leading to degraded service and application unavailability. The vulnerability arises from insufficiently optimized regular expressions that can be manipulated to consume extensive resources when processing certain inputs.

Affected Version(s)

CGI 0 < 0.3.5.1

CGI 0.3.6 < 0.3.7

CGI 0.4.0 < 0.4.2

References

https://hackerone.com/reports/2890322

https://github.com/rubysec/ruby-advisory-db/blob/master/g...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 4, 2025

Ruby-lang

What is CVE-2025-27220?

Affected Version(s)

References

CVSS V3.1

Timeline