New Deserialization Vulnerability in Ruby Workers Could Enable Full System Compromise

A critical Remote Code Execution (RCE) vulnerability has been identified in a Ruby background job processing system. The flaw stems from unsafe JSON deserialization, which allows untrusted input to be transformed into executable objects.

This issue highlights the hidden dangers of deserialization in Ruby environments, where a single line of code can lead to deterministic command execution within a background worker context.

The vulnerability is rooted in design-level trust assumptions rather than obscure gadget chains or memory corruption. The problem arises when the application relies on the Oj gem for JSON processing.

When untrusted input is deserialized using Oj.load, it reconstructs fully functional Ruby objects, complete with methods and system access. This bridges the gap between data and code, paving the way for full system compromise.

Vulnerability Mechanics and Exploitation

The core of the issue lies in the application’s background job pattern, where user-controlled input is stored as a JSON payload and later deserialized by a background worker.

The critical line of code, data = Oj.load(job.payload), performs object deserialization instead of simple JSON parsing.

According to researchers at NullSecurityX, Oj.load can reconstruct objects using special JSON directives, such as {“^o”: “ClassName”}.

This allows an attacker to allocate a class instance, inject variables, and return a functional object.

Once the object is reconstructed, the application uses capability-based dynamic dispatch to evaluate it. If the object exposes a specific method, such as run_find, it is authorized to execute it.

This design flaw becomes dangerous when a utility class, like Node, contains an insecure method that invokes Open3.capture3.

An attacker can craft a JSON payload instructing Oj.load to deserialize a Node object with malicious arguments, such as shell commands disguised as arguments for the find command.

The exploitation chain is fully deterministic and requires no injection tricks. The payload is stored, reconstructed, and then executed, allowing arbitrary shell commands to be run.

This allows unauthenticated attackers to gain control over background workers, often resulting in complete system compromise.

To mitigate this vulnerability, developers must treat serialized input as hostile by default. NullSecurityX recommends using Oj.safe_load or strict parsing modes to ensure data is handled safely.

Additionally, dynamic dispatch should be replaced with explicit job handling, and execution of operating system commands with user-controlled arguments should be avoided entirely.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.