RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Affected Packages

RubyGems rubygems-update

Affected versions: 2.0.0 (fixed in 2.0.16)

RubyGems rubygems-update

Affected versions: 2.2.0 (fixed in 2.2.4)

RubyGems rubygems-update

Affected versions: 2.4.0 (fixed in 2.4.7)

Related CVEs

CVE-2015-3900

Key Information

GHSA ID

GHSA-wp3j-rvfp-624h

Published

May 14, 2022 1:08 AM

Last Modified

March 10, 2023 2:29 AM

CVSS Score

7.5 /10

Primary Ecosystem

RubyGems

Primary Package

rubygems-update

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 29, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.