Techly NewsGet the app

Get the latest tech news

Marshal madness: A brief history of Ruby deserialization exploits


This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches.

Documenting the evolution of exploitation techniques serves a crucial purpose in security engineering: it helps us understand not just individual vulnerabilities but the systemic patterns that resist conventional fixes. Before running off to find earlier examples, consider the point I’m trying to make here: that there is a direct link between Hailey’s issue and modern Ruby deserialization exploit development. Then, as mentioned at the beginning of the story, Luke Jahnke enters back onto the scene on November 24, 2024, with “ Ruby 3.4 Universal RCE Deserialization Gadget Chain,” and again on December 3 with “ Gem::SafeMarshal escape.” Both of these techniques were eventually patched.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of ruby

ruby

Photo of brief history

brief history

Photo of Marshal madness

Marshal madness

Related news:

News photo

We still build with Ruby in 2025

News photo

How I Made Ruby Faster Than Ruby

News photo

60 malicious Ruby gems downloaded 275,000 times steal credentials

« Seed: Interactive software environment based on Common Lisp
Philippine Internet Bill Becomes Law Despite Industry Opposition »