CVE-2008-2725

Name: CVE-2008-2725
Creator: NVD / NIST
Published: 2008-06-24T19:41:00+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 3.70%

Last modified Jun 16, 2026

CVE-2008-2725 is a vulnerability of currently unknown severity. Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. EPSS estimates a 3.70% chance of exploitation in the next 30 days.

Description

Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.

Metrics

EPSS Probability

3.70%

88.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-189

Affected Software

Vendor	Product	Versions
Ruby-Lang	Ruby	<= 1.8.4
Ruby-Lang	Ruby	>= 1.8.5, < 1.8.5.231
Ruby-Lang	Ruby	>= 1.8.6, < 1.8.6.230
Ruby-Lang	Ruby	>= 1.8.7, < 1.8.7.22
Debian	Debian Linux	4.0
Canonical	Ubuntu Linux	6.06
Canonical	Ubuntu Linux	7.04
Canonical	Ubuntu Linux	7.10
Canonical	Ubuntu Linux	8.04

References

http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/Third Party Advisory
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlThird Party Advisory
http://secunia.com/advisories/30802Third Party Advisory
http://secunia.com/advisories/30831Third Party Advisory
http://secunia.com/advisories/30867Third Party Advisory
http://secunia.com/advisories/30875Third Party Advisory
http://secunia.com/advisories/30894Third Party Advisory
http://secunia.com/advisories/31062Third Party Advisory
http://secunia.com/advisories/31090Third Party Advisory
http://secunia.com/advisories/31181Third Party Advisory
http://secunia.com/advisories/31256Third Party Advisory
http://secunia.com/advisories/31687Third Party Advisory
http://secunia.com/advisories/33178Third Party Advisory
http://security.gentoo.org/glsa/glsa-200812-17.xmlThird Party Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562Third Party Advisory
http://support.apple.com/kb/HT2163Third Party Advisory
http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilitiesThird Party Advisory
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206Broken Link
http://www.debian.org/security/2008/dsa-1612Third Party Advisory
http://www.debian.org/security/2008/dsa-1618Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:140Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142Third Party Advisory
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/Third Party Advisory
http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.htmlThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2008-0561.htmlThird Party Advisory
http://www.ruby-forum.com/topic/157034Third Party Advisory
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/Patch, Vendor Advisory
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/493688/100/0/threadedThird Party Advisory, VDB Entry
http://www.securityfocus.com/bid/29903Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1020347Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/usn-621-1Third Party Advisory
http://www.vupen.com/english/advisories/2008/1907/referencesThird Party Advisory
http://www.vupen.com/english/advisories/2008/1981/referencesThird Party Advisory
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.htmlBroken Link
https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727Issue Tracking, Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/43350Third Party Advisory, VDB Entry
https://issues.rpath.com/browse/RPL-2626Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9606Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.htmlThird Party Advisory
http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/Third Party Advisory
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlThird Party Advisory
http://secunia.com/advisories/30802Third Party Advisory
http://secunia.com/advisories/30831Third Party Advisory
http://secunia.com/advisories/30867Third Party Advisory
http://secunia.com/advisories/30875Third Party Advisory
http://secunia.com/advisories/30894Third Party Advisory
http://secunia.com/advisories/31062Third Party Advisory
http://secunia.com/advisories/31090Third Party Advisory
http://secunia.com/advisories/31181Third Party Advisory
http://secunia.com/advisories/31256Third Party Advisory
http://secunia.com/advisories/31687Third Party Advisory
http://secunia.com/advisories/33178Third Party Advisory
http://security.gentoo.org/glsa/glsa-200812-17.xmlThird Party Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562Third Party Advisory
http://support.apple.com/kb/HT2163Third Party Advisory
http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilitiesThird Party Advisory
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206Broken Link
http://www.debian.org/security/2008/dsa-1612Third Party Advisory
http://www.debian.org/security/2008/dsa-1618Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:140Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142Third Party Advisory
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/Third Party Advisory
http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.htmlThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2008-0561.htmlThird Party Advisory
http://www.ruby-forum.com/topic/157034Third Party Advisory
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/Patch, Vendor Advisory
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/493688/100/0/threadedThird Party Advisory, VDB Entry
http://www.securityfocus.com/bid/29903Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1020347Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/usn-621-1Third Party Advisory
http://www.vupen.com/english/advisories/2008/1907/referencesThird Party Advisory
http://www.vupen.com/english/advisories/2008/1981/referencesThird Party Advisory
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.htmlBroken Link
https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727Issue Tracking, Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/43350Third Party Advisory, VDB Entry
https://issues.rpath.com/browse/RPL-2626Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9606Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.htmlThird Party Advisory

Timeline

Published: Jun 24, 2008
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2008-2725?

How severe is CVE-2008-2725?

Severity scoring for CVE-2008-2725 is pending analysis. The EPSS model estimates a 3.70% probability of exploitation in the next 30 days.

How do I fix CVE-2008-2725?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2008-2725?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST