GCVE - cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*

part: a version: * update: *

Vendor	Ruby Lang (`5813a634-c286-5f1d-90d5-a1a352f78d39`)
Product	Cgi (`31d56d99-eb33-5034-b28c-8c4a5f259cbb`)
Edition	*
Language	*
Software edition	*
Target software	ruby
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:gem/cgi`	purl2cpe	2026-06-01 10:11:45.661609
`pkg:github/ruby/cgi`	purl2cpe	2026-06-01 10:11:45.661611

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-27220`	vulnerable	2026-06-03 15:00:11.882832	Details available MEDIUM (4) In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. Published: 2025-03-03T00:00:00.000Z Updated: 2025-11-03T21:13:25.250Z Open on db.gcve.eu Reference links https://hackerone.com/reports/2890322 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-27219`	vulnerable	2026-06-03 15:00:11.880948	Details available MEDIUM (5.8) In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. Published: 2025-03-03T00:00:00.000Z Updated: 2025-11-03T21:13:23.842Z Open on db.gcve.eu Reference links https://hackerone.com/reports/2936778 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-41816`	vulnerable	2026-06-03 14:45:26.261292	Details available CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby. Published: 2022-02-06T00:00:00.000Z Updated: 2024-08-04T03:22:24.883Z Open on db.gcve.eu Reference links https://hackerone.com/reports/1328463 https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ https://security-tracker.debian.org/tracker/CVE-2021-41816 https://security.netapp.com/advisory/ntap-20220303-0006/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-33621`	vulnerable	2026-06-03 14:44:43.693047	Details available The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. Published: 2022-11-18T00:00:00.000Z Updated: 2025-11-04T16:09:15.135Z Open on db.gcve.eu Reference links https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/ https://security.netapp.com/advisory/ntap-20221228-0004/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.