RubySec

Providing security resources for the Ruby community

CVE-2020-25739 (gon): Gon gem lack of escaping certain input when outputting as JSON

ADVISORIES

GEM

gon

SEVERITY

CVSS v3: 6.1 (Medium)

CVSS v2: 4.3 (Medium)

PATCHED VERSIONS

  • >= 6.4.0

DESCRIPTION

An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson.