Savon::Model evaluates WSDL operation names as Ruby source
Published: June 10, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-53510 (NVD)
- GHSA: GHSA-mx5j-mp4f-g8jg
GEM
SEVERITY
CVSS v3.x: 8.1 (High)
UNAFFECTED VERSIONS
< 0.9.8
PATCHED VERSIONS
>= 2.17.2
DESCRIPTION
Savon::Model generated SOAP operation methods by interpolating operation names into Ruby source passed to module_eval. An attacker who can control the operation names of a WSDL, can inject Ruby code that executes in the application process. This affects only the .all_operations class method provided by Savon::Model to automatically register all operations provided by the WSDL. Configuring Savon::Model with trusted operation names via .operations is safe.
Thanks to @connorshea for securely disclosing this, providing a proof and a great report.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53510
- https://github.com/savonrb/savon/releases/tag/v2.17.2
- https://github.com/savonrb/savon/blob/main/CHANGELOG.md#2172---2026-06-10
- https://github.com/savonrb/savon/blob/v2.17.1/lib/savon/model.rb#L30-L45
- https://gist.github.com/connorshea/6cdc951abe0e1ffd2d1cc0fa7cd6b74d
- https://github.com/savonrb/savon/security/advisories/GHSA-mx5j-mp4f-g8jg