Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: rubyPackages.ruby-lsp

Found 1 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-34060
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed package vscode-extensions.shopify.ruby-lsp 1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Ruby LSP has arbitrary code execution through branch setting

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

Affected products

ruby-lsp
  • ==< 0.26.9
Shopify.ruby-lsp
  • ==< 0.10.2

Matching in nixpkgs

Advisory: https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93