{"id":"CVE-2025-27220","details":"In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.","aliases":["GHSA-mhwm-jh88-3gjf"],"modified":"2026-04-10T05:23:55.821633Z","published":"2025-03-04T00:15:31.693Z","related":["ALSA-2025:4488","CGA-9mpc-wqhj-mv2j","MGASA-2025-0290","SUSE-SU-2025:1369-1","SUSE-SU-2025:4264-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml"},{"type":"REPORT","url":"https://hackerone.com/reports/2890322"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/cgi","events":[{"introduced":"0"},{"fixed":"9f7e78ece68a2cab7531d5e1111ec2e4d5344ad9"},{"introduced":"6ddd5fc7d76b43b518b51277aecfb77fb5cad9ba"},{"fixed":"ab84b7fe6624faeba21fb52acac33ea678366e11"},{"introduced":"0"},{"last_affected":"827b7d43cceafa3a05a22d786d63671d27e0d5bc"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.3.5.1"},{"introduced":"0.4.0"},{"fixed":"0.4.2"},{"introduced":"0"},{"last_affected":"0.3.6"}]}}],"versions":["v0.1.0","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.4.0","v0.4.1","v0.4.2.beta1","v0.4.2.beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27220.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}