Listen to this Post
This vulnerability bypasses the `@_init` guard introduced in ERB to prevent `Marshal.load` deserialization attacks. During initialization, `ERBinitialize` sets @_init = self.class.singleton_class. The `ERBresult` and `ERBrun` methods check `@_init.equal?(self.class.singleton_class)` before eval(@src). When an ERB object is reconstructed via Marshal.load, `@_init` becomes `nil` or an attacker-controlled value, preventing `ERBresult` from executing. However, the methods ERBdef_method, ERBdef_module, and `ERBdef_class` reach `eval(@src)` without checking @_init. Both `def_module` and `def_class` accept zero arguments, making them callable through deserialization gadget chains. Additionally, `def_method` wraps `@src` in a method definition, but an attacker can set `@src` to start with end\n, closing the method early and causing subsequent code to execute immediately. This bypass works in all ERB versions from 2.2.0 through 6.0.3. By combining this with `ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy` as a dispatch gadget, an attacker can trigger `ERBdef_module` via Marshal.load, leading to arbitrary code execution. The chain works because `Marshal.load` reconstructs a Hash with the proxy as a key, calling `.hash` on it, which triggers `method_missing` and dispatches to ERBdef_module.
dailycve form:
Platform: Ruby
Version: ERB 2.2.0-6.0.3
Vulnerability: @_init guard bypass
Severity: High
date: 2026-04-21
Prediction: Already Patched
What Undercode Say:
Analytics
Check vulnerable version gem list erb Update to patched version gem update erb -v 6.0.4 Bundle update bundle update erb Verify patch ruby -e "require 'erb'; puts ERB.instance_method(:def_method).source_location"
Exploit:
- Allocate ERB object and set @src to “end\nsystem(‘id’)\ndef x”
- Craft ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy with @instance pointing to the ERB object and @method set to :def_module
3. Marshal.dump the proxy inside a Hash
- Marshal.load triggers Hash key hash calculation -> method_missing -> ERBdef_module -> def_method -> eval(src) -> code execution
Protection from this CVE
Upgrade erb gem to 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later. Avoid Marshal.load on untrusted data. Use JSON or YAML.safe_load instead. If Marshal is necessary, use a whitelist or sandbox.
Impact
Remote code execution (RCE). An attacker can execute arbitrary system commands, leading to full server compromise, data theft, or denial of service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

