CVE-2025-27220

low-risk
Published 2025-03-04

In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.

Do I need to act?

-
0.18% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.0/10 Medium
NETWORK / HIGH complexity

Affected Products (2)

Cgi
Cgi

Affected Vendors

Ruby-Lang

References (3)

Third Party Advisory https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220....
Permissions Required https://hackerone.com/reports/2890322
https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
21
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 7/34 · Low