CVE CyberSecurity Database News

CVE-2023-40165 - How a RubyGems.org Input Validation Bug Could Have Let Attackers Replace Legit Libraries

Poster -

RubyGems.org is the Ruby language’s central repository for gems—reusable libraries that power apps large and small. For most developers, it’s a trusted place to fetch and share code. But in August 2023, a critical bug—CVE-2023-40165—was discovered: Uploaders could replace existing gem files under certain conditions, possibly swapping out authentic code for malicious ones. Thankfully, investigations show this bug was not exploited. Here’s a plain-language breakdown of what went wrong, what’s been done, and how you can double-check your own gems.

What Was the Vulnerability?

The bug stemmed from insufficient input validation during gem uploads. RubyGems lets users upload new versions of their gems, but there’s supposed to be strict checking to prevent different people from clobbering, or replacing, existing gem files—especially those that are public and could impact thousands of apps.

This validation didn’t properly handle certain characters in the gem’s platform, version number, or name—specifically anything that matched the /-\d/ pattern (a dash followed by a digit, like foo-2). Attackers could exploit this to upload new gems with these patterns and permanently overwrite the original files in the main RubyGems storage. Even worse, RubyGems.org’s CDN (content delivery network) would update right away, so anyone fetching that gem would immediately get the attacker’s file.

Example

If the legitimate gem is named foo-2.gem, an attacker could upload a malicious gem file that passes validation and replaces the original one:

# Original upload by trusted developer
gem build foo.gemspec
gem push foo-2.gem
# Attacker's malicious replacement
gem build evil.gemspec
mv evil-2.gem foo-2.gem
gem push foo-2.gem
# If validation fails to catch this, evil-2.gem overwrites the good foo-2.gem!

How Bad Could This Have Been?

If a popular gem like rails-2.3.18.gem was replaced this way, every developer or server upgrading or installing that gem would get the attacker’s code.

Attackers could have abused

- Build systems, Continuous Integration (CI) workers, and production deployments that download gems directly from RubyGems.org.

End-users who install or update libraries without checking file checksums or signatures.

Imagine the impact: a backdoor or malware could be widely distributed to Ruby apps, sites, and even developer machines, risking supply chain security.

Was Anyone Exploited?

Short answer: No—at least, not as far as the RubyGems.org maintainers can tell.

The security team audited all gems matching the risky /-\d/ pattern and didn't find any unexpected or replaced files. That means attackers either never found the bug or didn't get a chance to use it before it was patched.

Official post:
- CVE-2023-40165 Security Advisory on RubyGems.org GitHub

How Can You Double-Check Your Gems?

Even with no sign of attack, you can and should check your local gems just to be sure you aren't using an altered file. The best way is to verify .gem file checksums against the RubyGems.org database.

Step-by-Step: Checking Your Gems Automatically

RubyGems contributor Maciej Mensfeld created a tool called bundler-integrity that checks every gem you’ve downloaded:

# Add the plugin to your project
bundle add bundler-integrity

# Run integrity check against your installed gems
bundle exec bundler-integrity

This tool will compare the SHA checksums of your local .gem files with the ones published by RubyGems.org’s API. Any mismatch could point to tampering or corruption.

Reference:
- bundler-integrity plugin on GitHub

> ⚠️ Note: No tool can absolutely guarantee you weren’t exploited, but this helps you quickly spot any major problems.

How Has This Been Fixed?

The RubyGems.org team rolled out a patch with stricter input validation that blocks gem overwriting for all platform, version, and name combinations. The changes are now live across the service.

- No user action is required to stay protected—RubyGems.org has you covered for this specific vulnerability.

Extra Details

- Related CVE record: CVE-2023-40165 at NVD
- RubyGems.org canonical bucket: Where the site stores uploaded gem files. Vulnerable to unwanted overwrites before the fix.

Stay calm! There’s no sign this bug was used in the wild.

- Run integrity checks on your gems using the steps above, especially if you self-host or back up your gem cache.

Be aware of checksum warnings from bundler or gem install tools.

Supply chain attacks are a growing problem in the software world, and this bug is a reminder that even trusted infrastructure needs constant auditing. Luckily, the Ruby community’s quick response means this story ends safely—but it’s worth a few minutes to double-check your own codebase.

Further Reading

- RubyGems.org Security Advisories
- What is a supply chain attack? (OWASP)
- bundler-integrity usage example

Timeline

Published on: 08/17/2023 18:15:00 UTC
Last modified on: 08/24/2023 20:50:00 UTC