CVE-2026-41316

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard: ERB#def_method, ERB#def_module, and ERB#def_class. An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Weakness

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/1.html
• https://cwe.mitre.org/data/definitions/107.html
• https://cwe.mitre.org/data/definitions/127.html
• https://cwe.mitre.org/data/definitions/17.html
• https://cwe.mitre.org/data/definitions/20.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/237.html
• https://cwe.mitre.org/data/definitions/36.html
• https://cwe.mitre.org/data/definitions/477.html
• https://cwe.mitre.org/data/definitions/480.html
• https://cwe.mitre.org/data/definitions/51.html
• https://cwe.mitre.org/data/definitions/57.html
• https://cwe.mitre.org/data/definitions/59.html
• https://cwe.mitre.org/data/definitions/65.html
• https://cwe.mitre.org/data/definitions/668.html
• https://cwe.mitre.org/data/definitions/74.html
• https://cwe.mitre.org/data/definitions/87.html

References

• https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv