CVE-2025-27220

NameCVE-2025-27220
DescriptionIn the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4082-1
Debian Bugs1103793

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.7 (PTS)bullseye2.7.4-1+deb11u1vulnerable
bullseye (security)2.7.4-1+deb11u5fixed
ruby3.1 (PTS)bookworm, bookworm (security)3.1.2-7+deb12u1vulnerable
ruby3.3 (PTS)forky, sid, trixie3.3.8-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby2.7sourcebullseye2.7.4-1+deb11u5DLA-4082-1
ruby2.7source(unstable)(unfixed)
ruby3.1source(unstable)(unfixed)1103793
ruby3.3source(unstable)3.3.7-2

Notes

[bookworm] - ruby3.1 <no-dsa> (Minor issue)
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml
https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6 (v0.4.2)
https://github.com/ruby/cgi/pull/52
Search for package or bug name: Reporting problems