Measured is vulnerable to Path Traversal attacks during class initialization
Published: July 15, 2025
SECURITY IDENTIFIERS
- GHSA: GHSA-29g5-m8v7-v564
- Vendor Advisory: https://github.com/Shopify/measured/security/advisories/GHSA-29g5-m8v7-v564
GEM
PATCHED VERSIONS
>= 3.2.1
DESCRIPTION
Impact
A path traversal vulnerability exists where an attacker
with access to manipulate inputs when initializing the
Measured::Cache::Json class would be able to instruct
the library to read arbitrary files.
Patches
Users should update to the latest version.