CVE-2009-1904

Ruby 1.8.6-1.8.7 - Denial of Service via BigDecimal Large Number Conversion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1904. PoCs published by NZKoz.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2009-1904, a DoS vulnerability in Ruby's BigDecimal library. The example.rb file demonstrates the segfault by processing maliciously crafted input strings, while the fix file provides a workaround by validating input to prevent the crash.

Description

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.

Exploits (1)

nomisec WORKING POC 14 stars
by NZKoz · poc
https://github.com/NZKoz/bigdecimal-segfault-fix

The repository contains a functional PoC for CVE-2009-1904, a DoS vulnerability in Ruby's BigDecimal library. The example.rb file demonstrates the segfault by processing maliciously crafted input strings, while the fix file provides a workaround by validating input to prevent the crash.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Ruby BigDecimal library (versions prior to the fix)
No auth needed
Prerequisites: Ruby environment with vulnerable BigDecimal library
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (31)

Core 31
Core References
Exploit, Patch x_refsource_confirm
http://redmine.ruby-lang.org/issues/show/794
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/bugs/cve/2009-1904
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1140.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1563
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35937
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35593
Various Sources mailing-list x_refsource_mlist
http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022371
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35399
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-805-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/55031
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35278
Issue Tracking x_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=273213
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37705
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4077
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35699
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/bugs/385436
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200906-02.xml
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:160
Various Sources x_refsource_confirm
http://www.ruby-forum.com/topic/189071
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51032
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35527

Scores

EPSS 0.0453
EPSS Percentile 89.3%

Details

CWE
CWE-189
Status published
Products (2)
ruby-lang/ruby 1.8.6
ruby-lang/ruby 1.8.7
Published Jun 11, 2009
Tracked Since Feb 18, 2026