GMS-2014-15: Remote code execution
The package lz4-ruby is vulnerable to an integer overflow attack. When certain payloads are processed, a pointer to an output buffer can be set to an address outside the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable Remote Code Execution exploit. 32bit variants of the package are critically affected. 64bit variants are deemed infeasible to exploit.
References
Detect and mitigate GMS-2014-15 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →