RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

Affected Packages

RubyGems rubygems-update

Affected versions: 0 (fixed in 2.6.13)

Related CVEs

CVE-2017-0902

Key Information

GHSA ID

GHSA-73w7-6w9g-gc8w

Published

May 13, 2022 1:38 AM

Last Modified

March 9, 2023 12:36 AM

CVSS Score

7.5 /10

Primary Ecosystem

RubyGems

Primary Package

rubygems-update

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.