ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard: ERB#def_method ERB#def_module ERB#def_class An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can …