JSON gem vulnerability

An vulnerability affecting the json gem has been found. A detailed explanation can be found at the Rails security mailing list.

This is not an isolated Rails issue, as it affects a third-party library. It affects all users of the json gem. This gem might be pulled in as a dependency of other libraries in use. You can check whether you application uses the json gem by running:

bundle show

We strongly urge all users of Padrino to upgrade their applications using:

bundle update json

to at least: 1.7.7, 1.6.8, 1.5.5.

Also, never use JSON.load, but JSON.parse, except when you really know what you are doing.

comments powered by Disqus