Fix VERBOSE flag ignored when set before module load by SilentSobs · Pull Request #21105 · rapid7/metasploit-framework

SilentSobs · 2026-03-13T10:09:18Z

When set VERBOSE false is called before use <module>, the value is stored in the framework datastore as a raw string "false" without going through OptBool#normalize. Ruby treats non-empty strings as truthy, so the verbose condition evaluated "false" (string) as true, causing verbose output to always appear regardless of the flag.

Fix by using .to_s =~ TRUE_REGEX for both module and framework datastore lookups, consistent with how OptBool normalizes boolean values.

Verification

~/Documents/metasploit-framework$ ./msfconsole -q -x 'set VERBOSE false; setg RHOSTS 192.168.28.65; use auxiliary/scanner/smtp/smtp_enum; set USER_FILE user.txt; run; exit;' 2>&1 | grep -v WARN | grep -v stringio | grep -v "gem cleanup" | grep -v "Please report" | grep -v "Available"
      - 3.1.1
      - 3.0.4
VERBOSE => false
RHOSTS => 192.168.28.65
USER_FILE => user.txt
[*] 192.168.28.65:25      - 192.168.28.65:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[*] 192.168.28.65:25      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

~/Documents/metasploit-framework$

~/Documents/metasploit-framework$ ./msfconsole -q -x 'set VERBOSE true; setg RHOSTS 192.168.28.65; use auxiliary/scanner/smtp/smtp_enum; set USER_FILE user.txt; run; exit;' 2>&1 | grep -v WARN | grep -v stringio | grep -v "gem cleanup" | grep -v "Please report" | grep -v "Available"
      - 3.1.1
      - 3.0.4
VERBOSE => true
RHOSTS => 192.168.28.65
USER_FILE => user.txt
[*] 192.168.28.65:25      - 192.168.28.65:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[*] 192.168.28.65:25      - 192.168.28.65:25 Domain Name: metasploitable.localdomain
[*] 192.168.28.65:25      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

~/Documents/metasploit-framework$

~/Documents/metasploit-framework$ ./msfconsole -q -x 'setg RHOSTS 192.168.28.65; use auxiliary/scanner/smtp/smtp_enum; set USER_FILE user.txt; run; exit;' 2>&1 | grep -v WARN | grep -v stringio | grep -v "gem cleanup" | grep -v "Please report" | grep -v "Available"
      - 3.1.1
      - 3.0.4
RHOSTS => 192.168.28.65
USER_FILE => user.txt
[*] 192.168.28.65:25      - 192.168.28.65:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[*] 192.168.28.65:25      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

~/Documents/metasploit-framework$

Ramesh | Security Researcher
IoTSec.in - IoT & Embedded Security Research

When 'set VERBOSE false' is called before 'use <module>', the value is stored in the framework datastore as a raw string 'false' without going through OptBool#normalize. Ruby treats non-empty strings as truthy, so the verbose condition evaluated 'false' (string) as true. Fix by using .to_s =~ TRUE_REGEX for both module and framework datastore lookups, consistent with how OptBool normalizes boolean values.

smcintyre-r7 added this to Metasploit Kanban Mar 13, 2026

github-project-automation bot moved this to Todo in Metasploit Kanban Mar 13, 2026

adfoster-r7 self-assigned this Mar 18, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix VERBOSE flag ignored when set before module load#21105

Fix VERBOSE flag ignored when set before module load#21105
SilentSobs wants to merge 1 commit intorapid7:masterfrom
SilentSobs:fix/verbose-datastore-string-normalization

SilentSobs commented Mar 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

SilentSobs commented Mar 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Verification

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

SilentSobs commented Mar 13, 2026 •

edited

Loading