Marshal madness: A brief history of Ruby deserialization exploits
21 days ago
- #Ruby
- #Deserialization
- #Security
- Ruby's Marshal module has a long history of deserialization vulnerabilities, with a cycle of patches and bypasses.
- The first documented issue was in 2013, highlighting the dangers of Marshal.load in Ruby 2.0.0.
- Exploitation techniques evolved, with researchers like Luke Jahnke and William Bowling publishing universal RCE deserialization gadgets.
- Modern techniques use advanced program analysis tools like CodeQL to find exploit gadgets.
- Recent vulnerabilities in Ruby 3.4 and RubyGems.org show that Marshal-related issues persist.
- Recommendations include auditing for Marshal usage, replacing it with safer alternatives, and deprecating unsafe methods.