Description
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.
References (2)
Core 2
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugs.ruby-lang.org/issues/13742
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/59344
Scores
CVSS v3
9.8
EPSS
0.0034
EPSS Percentile
56.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-125
CWE-787
Status
published
Products (1)
ruby-lang/ruby
2.4.1
Published
Jul 19, 2017
Tracked Since
Feb 18, 2026