Unsafe JSON deserialization is the root cause of a critical remote code execution (RCE) vulnerability that has surfaced in RubitMQ job workers This article explores risks ruby apps. . This vulnerability, which allows attackers to transform seemingly innocuous JSON data into potentially harmful executable code, was discovered by security researcher NullSecurityX.

This is caused by faulty design assumptions in Ruby background systems that unquestioningly trust processed data, in contrast to memory corruption bugs. With a CVSS score of 9.8, the vulnerability—tracked as CVE-2024-XXXX—is classified as critical. Vulnerable RubitMQ configurations expose systems to full infrastructure compromise risks, such as lateral network movement and data theft. significant risk to security (Source: Medium) NullSecurityX showed how attackers can bridge data and code execution gaps by demonstrating the exploit on platforms such as Medium.

This has an impact on Ruby applications that use the Oj gem for quick JSON handling, which is frequently used by background workers and job queues. Although Oj's object deserialization features pose hidden risks, developers frequently choose it for speed. Oj.load rebuilds entire Ruby objects from the JSON, including custom classes from the application code, when a payload reaches the worker.

It does more than just unpack data. Attacks using object injection become possible as a result. Technical Evaluation of the Defect Fundamentally, the bug takes advantage of Oj.load's support for directives that cause class instantiation, such as ^o. Workers process jobs using capability-based checks in RubitMQ's architecture.

Before dispatching an object, they check to see if it has a run_find method, presuming that this indicates safe authorization.

Attackers create JSON payloads that instantiate the Node utility class of the application, which contains an Open3-powered run_find method.capture3 for the execution of shell commands. The CVE breakdown is as follows: Description of CVE ID CVSS Score Severity CVE-2024-XXXX 9.8 Critical Unsafe deserialization in RubitMQ via Oj.load permits object injection-based remote code execution. By abusing the -exec flag of the Unix find command, the exploit becomes deterministic.

In order to execute arbitrary shell commands with the worker's privileges, a malicious payload inserts arguments that chain finds. This gets around common safeguards like sandboxing and input validation. The proof-of-concept for NullSecurityX demonstrates commands that reliably execute, resulting in pivots to other systems, data exfiltration, or service crashes. Only clever JSON engineering is required—no memory tricks.

Products Affected and Steps for Mitigation Although the Oj gem's default configuration increases risks across Ruby apps, RubitMQ job workers are disproportionately affected. This is a synopsis: Component Affected by the Product Status of the Patch Worker for RubitMQ (JSON Processor) An update is necessary. The default load configuration for the Ruby OJ Gem A Change Is Necessary Upgrade in order to resolve this.

If patched versions are available, use them instead of RubitMQ. JSON mode, which prevents object creation, is one of the safer modes that Oj.load switches to. Run workers in isolated containers, audit dynamic dispatch logic, and rigorously validate payloads. Turn on Ruby's secure YAML-style constraints for JSON as well.

Alerts may be issued soon by CISA and related organizations. This vulnerability emphasizes the need to examine "safe" formats, such as JSON, in untrusted inputs. Deserialization is a prime RCE vector since background workers frequently operate with elevated access.

Now is the time for teams that use Ruby queues to scan code, LinkedIn, and X for more real-time updates. Make ZeroOwl your Google Preferred Source.