RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack."

NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3900.

Affected Packages

RubyGems rubygems-update

Affected versions: 0 (fixed in 2.0.17)

RubyGems rubygems-update

Affected versions: 2.1.0.rc.1 (fixed in 2.2.5)

RubyGems rubygems-update

Affected versions: 2.3.0 (fixed in 2.4.8)

Related CVEs

CVE-2015-4020

Key Information

GHSA ID

GHSA-qv62-xfj6-32xm

Published

May 17, 2022 12:16 AM

Last Modified

May 4, 2023 9:14 PM

CVSS Score

5.0 /10

Primary Ecosystem

RubyGems

Primary Package

rubygems-update

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 29, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.