<![CDATA[Wonder if https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316/ (CVE-2026-41316) is an issue for Mastodon?]]>Wonder if https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316/ (CVE-2026-41316) is an issue for Mastodon?

Gemfile.lock for stable-4.5 still has erb (5.1.3), but no idea if Mastodon uses it in an attackable way.

]]>https://board.circlewithadot.net/topic/90b1d238-61e3-4eba-9d5e-8ac028a9ecae/wonder-if-https-www.ruby-lang.org-en-news-2026-04-21-erb-cve-2026-41316-cve-2026-41316-is-an-issue-for-mastodonRSS for NodeThu, 14 May 2026 23:27:14 GMTThu, 23 Apr 2026 08:18:55 GMT60<![CDATA[Reply to Wonder if https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316/ (CVE-2026-41316) is an issue for Mastodon? on Thu, 23 Apr 2026 11:52:13 GMT]]>@galaxis mastodon code itself has no references to Marshal, as well as json-ld-*, sidekiq uses json serialization

It’s highly unlikely that dependencies use marshaling as well. It’s used to encode raw ruby objects which is very rare and subject to Ruby version incompatibility

]]>https://board.circlewithadot.net/post/https://feed.yopp.me/users/alex/statuses/116453876260751220https://board.circlewithadot.net/post/https://feed.yopp.me/users/alex/statuses/116453876260751220Thu, 23 Apr 2026 11:52:13 GMT