Denial of service in mruby/mruby


Reported on

May 4th 2022

Affected commit


Proof of Concept



Raise exception without abort the software

Case output:

root:~/mruby/mruby/bin# ./mruby poc.rb 
poc.rb:1: can't convert BasicObject into String (TypeError)

Test Platform:

Ubuntu 18.04


This bug was found by Ken Wong(@wwkenwong) from Black Bauhinia(@blackb6a) and Alex Cheung


Denial of service


We are processing your report and will contact the mruby team within 24 hours. 24 days ago
We have contacted a member of the mruby team and are waiting to hear back 23 days ago
Yukihiro "Matz" Matsumoto modified the Severity from Critical to Low 22 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yukihiro "Matz" Matsumoto validated this vulnerability 22 days ago

This is a bug, but to use it as a security vulnerability, it requires: (a) use libmruby to sandbox untrusted input (e.g. mruby-engine) (b)enable MRB_USE_STDIO which is fundamentally more dangerous for untrusted input

Considering those requirements, I mark this as low

wwkenwong has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on 457abf 22 days ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
error.c#L204 has been validated
to join this conversation