Denial of service in mruby/mruby


Reported on

May 4th 2022

Affected commit


Proof of Concept



Raise exception without abort the software

Case output:

root:~/mruby/mruby/bin# ./mruby poc.rb 
poc.rb:1: can't convert BasicObject into String (TypeError)

Test Platform:

Ubuntu 18.04


This bug was found by Ken Wong(@wwkenwong) from Black Bauhinia(@blackb6a) and Alex Cheung


Denial of service


We are processing your report and will contact the mruby team within 24 hours. 2 years ago
We have contacted a member of the mruby team and are waiting to hear back 2 years ago
Yukihiro "Matz" Matsumoto modified the Severity from Critical to Low 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yukihiro "Matz" Matsumoto validated this vulnerability 2 years ago

This is a bug, but to use it as a security vulnerability, it requires: (a) use libmruby to sandbox untrusted input (e.g. mruby-engine) (b)enable MRB_USE_STDIO which is fundamentally more dangerous for untrusted input

Considering those requirements, I mark this as low

wwkenwong has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit 457abf 2 years ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
error.c#L204 has been validated
to join this conversation