Vulnerable Library - fastlane-2.228.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (fastlane version) |
Remediation Possible** |
| CVE-2026-35611 |
 High |
7.5 |
addressable-2.8.7.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-45363 |
High |
7.4 |
jwt-2.10.2.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-25765 |
 Medium |
5.8 |
faraday-1.10.4.gem |
Transitive |
N/A* |
❌ |
| CVE-2025-58767 |
Medium |
5.3 |
rexml-3.4.1.gem |
Transitive |
N/A* |
❌ |
| CVE-2025-14762 |
Medium |
5.3 |
aws-sdk-s3-1.196.1.gem |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-35611
Vulnerable Library - addressable-2.8.7.gem
Addressable is an alternative implementation to the URI implementation that is
part of Ruby's standard library. It is flexible, offers heuristic parsing, and
additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.8.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- fastlane-2.228.0.gem (Root Library)
- ❌ addressable-2.8.7.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Publish Date: 2026-04-07
URL: CVE-2026-35611
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: sporkmonger/addressable@c87f768
Release Date: 2026-04-07
Fix Resolution: https://github.com/sporkmonger/addressable.git - addressable-2.9.0
CVE-2026-45363
Vulnerable Library - jwt-2.10.2.gem
A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.
Library home page: https://rubygems.org/gems/jwt-2.10.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- fastlane-2.228.0.gem (Root Library)
- ❌ jwt-2.10.2.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
"JWT.decode(token, '', true, algorithm: 'HS256')" accepts an attacker-forged token. "OpenSSL::HMAC.digest('SHA256', '', payload)" returns a valid digest under an empty key, and no "raise InvalidKeyError if key.empty?" precondition exists in the HMAC algorithm. JWT.decode(token, "", true, algorithm: 'HS256') -> JWA::Hmac.verify(verification_key: "", ...) -> OpenSSL::HMAC.digest('SHA256', "", signing_input) == signature The same path is reached when a keyfinder block or key_finder: argument returns "", nil, or an array containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty arrays, and JWT::JWA::Hmac silently coerces nil to "" (signing_key ||= '') before signing. JWT.decode(token, nil, true, algorithms: ['HS256']) { |_h| "" } -> find_key returns "" # "" && !Array("").empty? == true -> JWA::Hmac.verify(verification_key: "", ...) -> verifies Common application patterns that produce the unsafe value: "redis.get("kid:#{kid}").to_s", ORM string columns with "default: ''", "ENV['SECRET'] || '', Hash.new('')" lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected. The existing "enforce_hmac_key_length" option would block this but defaults to false. On OpenSSL ≥ 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire. Affects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and "JWT::EncodedToken#verify_signature!(key_finder:)"
Publish Date: 2026-05-18
URL: CVE-2026-45363
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c32j-vqhx-rx3x
Release Date: 2026-05-18
Fix Resolution: jwt - 3.2.0
CVE-2026-25765
Vulnerable Library - faraday-1.10.4.gem
Library home page: https://rubygems.org/gems/faraday-1.10.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- fastlane-2.228.0.gem (Root Library)
- ❌ faraday-1.10.4.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
CVE-2025-58767
Vulnerable Library - rexml-3.4.1.gem
An XML toolkit for Ruby
Library home page: https://rubygems.org/gems/rexml-3.4.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- fastlane-2.228.0.gem (Root Library)
- CFPropertyList-3.0.7.gem
- ❌ rexml-3.4.1.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
Publish Date: 2025-09-17
URL: CVE-2025-58767
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2f4-jgmc-q2r5
Release Date: 2025-09-17
Fix Resolution: rexml - 3.4.2,https://github.com/ruby/rexml.git - v3.4.2
CVE-2025-14762
Vulnerable Library - aws-sdk-s3-1.196.1.gem
Official AWS Ruby gem for Amazon Simple Storage Service (Amazon S3). This gem is part of the AWS SDK for Ruby.
Library home page: https://rubygems.org/gems/aws-sdk-s3-1.196.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- fastlane-2.228.0.gem (Root Library)
- ❌ aws-sdk-s3-1.196.1.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.
Publish Date: 2025-12-17
URL: CVE-2025-14762
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xgq-q749-89fq
Release Date: 2025-12-17
Fix Resolution: aws-sdk-s3 - 1.208.0
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - addressable-2.8.7.gem
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.8.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Publish Date: 2026-04-07
URL: CVE-2026-35611
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: sporkmonger/addressable@c87f768
Release Date: 2026-04-07
Fix Resolution: https://github.com/sporkmonger/addressable.git - addressable-2.9.0
Vulnerable Library - jwt-2.10.2.gem
A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.
Library home page: https://rubygems.org/gems/jwt-2.10.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
"JWT.decode(token, '', true, algorithm: 'HS256')" accepts an attacker-forged token. "OpenSSL::HMAC.digest('SHA256', '', payload)" returns a valid digest under an empty key, and no "raise InvalidKeyError if key.empty?" precondition exists in the HMAC algorithm. JWT.decode(token, "", true, algorithm: 'HS256') -> JWA::Hmac.verify(verification_key: "", ...) -> OpenSSL::HMAC.digest('SHA256', "", signing_input) == signature The same path is reached when a keyfinder block or key_finder: argument returns "", nil, or an array containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty arrays, and JWT::JWA::Hmac silently coerces nil to "" (signing_key ||= '') before signing. JWT.decode(token, nil, true, algorithms: ['HS256']) { |_h| "" } -> find_key returns "" # "" && !Array("").empty? == true -> JWA::Hmac.verify(verification_key: "", ...) -> verifies Common application patterns that produce the unsafe value: "redis.get("kid:#{kid}").to_s", ORM string columns with "default: ''", "ENV['SECRET'] || '', Hash.new('')" lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected. The existing "enforce_hmac_key_length" option would block this but defaults to false. On OpenSSL ≥ 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire. Affects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and "JWT::EncodedToken#verify_signature!(key_finder:)"
Publish Date: 2026-05-18
URL: CVE-2026-45363
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c32j-vqhx-rx3x
Release Date: 2026-05-18
Fix Resolution: jwt - 3.2.0
Vulnerable Library - faraday-1.10.4.gem
Library home page: https://rubygems.org/gems/faraday-1.10.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
Vulnerable Library - rexml-3.4.1.gem
An XML toolkit for Ruby
Library home page: https://rubygems.org/gems/rexml-3.4.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
Publish Date: 2025-09-17
URL: CVE-2025-58767
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c2f4-jgmc-q2r5
Release Date: 2025-09-17
Fix Resolution: rexml - 3.4.2,https://github.com/ruby/rexml.git - v3.4.2
Vulnerable Library - aws-sdk-s3-1.196.1.gem
Official AWS Ruby gem for Amazon Simple Storage Service (Amazon S3). This gem is part of the AWS SDK for Ruby.
Library home page: https://rubygems.org/gems/aws-sdk-s3-1.196.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.
Publish Date: 2025-12-17
URL: CVE-2025-14762
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2xgq-q749-89fq
Release Date: 2025-12-17
Fix Resolution: aws-sdk-s3 - 1.208.0