Login Sign Up

CVE-2019-16255

8.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution in Ruby applications using the Shell#[] or Shell#test methods with untrusted input. Attackers can inject arbitrary Ruby code to execute commands on the system. Affects Ruby versions through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4.

💻 Affected Systems

Products:
  • Ruby
  • Ruby on Rails applications
  • Applications using Ruby Shell methods
Versions: Ruby 2.4.x through 2.4.7, Ruby 2.5.x through 2.5.6, Ruby 2.6.x through 2.6.4
Operating Systems: All operating systems running affected Ruby versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when Shell#[] or Shell#test methods are used with untrusted input. Many applications may not use these specific methods.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Leap by Opensuse

View all CVEs affecting Leap →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

Ruby by Ruby Lang

View all CVEs affecting Ruby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Application compromise allowing data exfiltration, privilege escalation, or lateral movement within the environment.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially preventing exploitation entirely.

🌐 Internet-Facing: HIGH - Web applications accepting user input that reaches vulnerable Shell methods are directly exploitable from the internet.
🏢 Internal Only: MEDIUM - Internal applications using Shell methods with untrusted data remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to use vulnerable Shell methods with user-controlled input. Proof of concept available in HackerOne report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ruby 2.4.8, 2.5.7, 2.6.5 and later

Vendor Advisory: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

Restart Required: Yes

Instructions:

1. Update Ruby to patched version using package manager (apt/yum) or Ruby version manager (rbenv/RVM). 2. Restart all Ruby processes and applications. 3. Verify update with 'ruby -v'.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Validate and sanitize all user input before passing to Shell methods. Use allowlists for expected values.

Avoid Shell Methods with Untrusted Data

all

Replace Shell#[] and Shell#test calls with safer alternatives like system() with explicit arguments or Open3 methods.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all data passed to Shell methods
  • Use application firewalls (WAF) to block suspicious patterns in user input
  • Isolate vulnerable applications in network segments with restricted access

🔍 How to Verify

Check if Vulnerable:

Check Ruby version with 'ruby -v'. If version is 2.4.0-2.4.7, 2.5.0-2.5.6, or 2.6.0-2.6.4, system is vulnerable if using Shell methods with untrusted input.

Check Version:

ruby -v

Verify Fix Applied:

Verify Ruby version is 2.4.8+, 2.5.7+, or 2.6.5+ with 'ruby -v'. Test application functionality that uses Shell methods.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Ruby method calls in application logs
  • Suspicious command execution patterns
  • Errors from Shell class with unexpected input

Network Indicators:

  • Unusual outbound connections from Ruby processes
  • Data exfiltration patterns

SIEM Query:

source="application.log" AND ("Shell#\[\]" OR "Shell#test") AND (suspicious_input_patterns)

📊 Metadata

CVE ID: CVE-2019-16255
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: November 26, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16255, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)