YARD static cache reads raw traversal paths before router sanitization
Published: June 23, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-49342 (NVD)
- GHSA: GHSA-pxcc-8665-phx8
GEM
SEVERITY
CVSS v3.x: 5.3 (Medium)
PATCHED VERSIONS
>= 0.9.44
DESCRIPTION
Summary
YARD's static cache lookup reads a request path before the router's
path cleanup runs. When a server is configured with a document root,
a traversal path such as /../yard-cache-secret.html is joined
against that root and can return a readable sibling .html file
outside the intended static tree.
The potential security risk seems low, as only html-ending files can be read, but still the risk of reading arbitrary html files is a confiendtiality issue in itself, which is why we decided to report. Please let us know if this is out of your project's scope.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2026-49342
- https://rubygems.org/gems/yard/versions/0.9.44
- https://github.com/lsegal/yard/compare/v0.9.43...v0.9.44
- https://github.com/lsegal/yard/commit/f78c19f0dd33a407085b4ed181bb60c0aa0078b4
- https://github.com/advisories/GHSA-pxcc-8665-phx8
- https://github.com/lsegal/yard/security/advisories/GHSA-pxcc-8665-phx8