Skip to content

Path traversal in Measured::Cache::Json class

Low
dv-shop published GHSA-29g5-m8v7-v564 Jul 14, 2025

Package

bundler measured (RubyGems)

Affected versions

<=3.2.0

Patched versions

3.2.1

Description

Impact

A path traversal vulnerability exists where an attacker with access to manipulate inputs when initializing the Measured::Cache::Json class would be able to instruct the library to read arbitrary files.

Patches

Users should update to the latest version.

Severity

Low

CVE ID

No known CVE

Weaknesses

Path Traversal: '../filedir'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory. Learn more on MITRE.

Credits