CVE-2025-27220: CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement
(updated )
There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.
References
- github.com/advisories/GHSA-mhwm-jh88-3gjf
- github.com/ruby/cgi
- github.com/ruby/cgi/pull/52
- github.com/ruby/cgi/pull/53
- github.com/ruby/cgi/pull/54
- github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml
- hackerone.com/reports/2890322
- nvd.nist.gov/vuln/detail/CVE-2025-27220
- www.cve.org/CVERecord?id=CVE-2025-27220
- www.ruby-lang.org/en/news/2025/02/26/security-advisories
Detect and mitigate CVE-2025-27220 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →