ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
Published: April 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-41316 (NVD)
- GHSA: GHSA-q339-8rmv-2mhv
GEM
SEVERITY
CVSS v3.x: 8.1 (High)
PATCHED VERSIONS
~> 4.0.3.1
~> 4.0.4.1
~> 6.0.1.1
>= 6.0.4
DESCRIPTION
ERB implements an @_init guard to prevent code execution when ERB objects are reconstructed via Marshal.load on untrusted data. However, ERB#def_method, ERB#def_module, and ERB#def_class evaluate the template source without checking this guard, allowing an attacker who controls the data passed to Marshal.load to bypass the protection and execute arbitrary code. In particular, def_module takes no arguments, making it straightforward to invoke as part of a deserialization gadget chain.
Please update the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2026-41316
- https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released
- https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316
- https://github.com/ruby/erb/blob/master/NEWS.md
- https://github.com/ruby/erb/commit/9d017be4e375cdd058650ce528ee6adfead20cac
- https://github.com/advisories/GHSA-q339-8rmv-2mhv