GHSA-C4R5-FXQW-VH93

Vulnerability from github – Published: 2026-03-27 19:43 – Updated: 2026-03-31 18:41
VLAI?
Summary
Ruby LSP has arbitrary code execution through branch setting
Details

Summary

The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json.

Other editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.

Details

The branch CLI argument passed to the ruby-lsp server was interpolated in the generated .ruby-lsp/Gemfile without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: .vscode/settings.json) that gets automatically applied open the possibility to craft a malicious repository that once opened and trusted in the editor would run arbitrary code.

Impact

Code execution with the privileges of the user who opens the malicious project. Ruby LSP assumes workspace code is trusted and so opening the editor on an untrusted workspace can lead to executing potentially dangerous code.

Remediation

The rubyLsp.branch setting has been removed entirely. VS Code extensions auto-update by default, so most users will receive the fix without action. Users who have disabled auto-updates should update to extension version >= 0.10.2.

The branch CLI flag was also entirely removed from the ruby-lsp gem. For users that don't add ruby-lsp to their Gemfiles, the server should auto-update. Users with the ruby-lsp in the Gemfile and locked to a specific version should update to >= 0.26.9.

Severity ?
7.1 (High)
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "ruby-lsp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:43:14Z",
    "nvd_published_at": "2026-03-31T03:15:58Z",
    "severity": "HIGH"
  },
  "details": "**Summary**\n\nThe `rubyLsp.branch` VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious `.vscode/settings.json`.\n\nOther editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.\n\n**Details**\n\nThe `branch` CLI argument passed to the `ruby-lsp` server was interpolated in the generated `.ruby-lsp/Gemfile` without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: `.vscode/settings.json`) that gets automatically applied open the possibility to craft a malicious repository that once opened and trusted in the editor would run arbitrary code.\n\n**Impact**\n\nCode execution with the privileges of the user who opens the malicious project. Ruby LSP assumes workspace code is trusted and so opening the editor on an untrusted workspace can lead to executing potentially dangerous code.\n\n**Remediation**\n\nThe `rubyLsp.branch` setting has been removed entirely. VS Code extensions auto-update by default, so most users will receive the fix without action. Users who have disabled auto-updates should update to extension version \u003e= 0.10.2.\n\nThe `branch` CLI flag was also entirely removed from the `ruby-lsp` gem. For users that don\u0027t add `ruby-lsp` to their Gemfiles, the server should auto-update. Users with the `ruby-lsp` in the Gemfile and locked to a specific version should update to \u003e= 0.26.9.",
  "id": "GHSA-c4r5-fxqw-vh93",
  "modified": "2026-03-31T18:41:33Z",
  "published": "2026-03-27T19:43:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34060"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Shopify/ruby-lsp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-lsp/CVE-2026-34060.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ruby LSP has arbitrary code execution through branch setting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.