Ruby/yard/0.9.0


YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.

https://rubygems.org/gems/yard
MIT

10 Security Vulnerabilities

yard: Possible arbitrary path traversal and file access via yard server

Published date: 2026-04-17T22:21:03Z
CVE: CVE-2026-41493
Links:

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The original patch in GHSA-xfhh-rx56-rxcr was incorrectly applied.

Patches

Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on --docroot.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

Affected versions: ["0.9.41", "0.9.40", "0.9.39", "0.9.38", "0.9.37", "0.9.36", "0.9.35", "0.9.34", "0.9.33", "0.9.32", "0.9.31", "0.9.30", "0.9.29", "0.9.28", "0.9.27", "0.9.26", "0.9.25", "0.9.24", "0.9.23", "0.9.22", "0.9.21", "0.9.20", "0.9.19", "0.9.18", "0.9.17", "0.9.16", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.10", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.7.6", "0.8.7.5", "0.8.7.4", "0.8.7.3", "0.8.7.2", "0.8.7.1", "0.8.7", "0.8.6.2", "0.8.6.1", "0.8.6", "0.8.5.2", "0.8.5.1", "0.8.5", "0.8.4.1", "0.8.4", "0.8.3", "0.8.2.1", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.8", "0.6.7", "0.6.6", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.8", "0.5.7", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.5.1p1", "0.4.0", "0.2.3.5", "0.2.3.4", "0.2.3.3", "0.2.3.2", "0.2.3", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

YARD's default template vulnerable to Cross-site Scripting in generated frames.html

Published date: 2024-02-28T18:57:19Z
CVE: CVE-2024-27285
Links:

Summary

The frames.html file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the frames.erb template file.

Details

The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the frames.erb template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.

Snippet from frames.erb: (v0.9.34) erb <script type="text/javascript"> var match = unescape(window.location.hash).match(/^#!(.+)/); var name = match ? match[1] : '<%= url_for_main %>'; name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, ''); window.top.location = name; </script>

(v0.9.35) erb <script type="text/javascript"> var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/); var name = match ? match[1] : '<%= url_for_main %>'; name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim(); window.top.location.replace(name) </script>

PoC (Proof of Concept)

To exploit this vulnerability: 1. Gain access to the generated Yard Doc. 2. Locate and access the frames.html file. 3. Construct a URL containing the malicious payload in the hash segment, for instance: #!javascript:xss for v0.9.34, and #:javascript:xss for v0.9.35

Impact

This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.

Affected versions: ["0.9.35", "0.9.34", "0.9.33", "0.9.32", "0.9.31", "0.9.30", "0.9.29", "0.9.28", "0.9.27", "0.9.26", "0.9.25", "0.9.24", "0.9.23", "0.9.22", "0.9.21", "0.9.20", "0.9.19", "0.9.18", "0.9.17", "0.9.16", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.10", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.7.6", "0.8.7.5", "0.8.7.4", "0.8.7.3", "0.8.7.2", "0.8.7.1", "0.8.7", "0.8.6.2", "0.8.6.1", "0.8.6", "0.8.5.2", "0.8.5.1", "0.8.5", "0.8.4.1", "0.8.4", "0.8.3", "0.8.2.1", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.8", "0.6.7", "0.6.6", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.8", "0.5.7", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.5.1p1", "0.4.0", "0.2.3.5", "0.2.3.4", "0.2.3.3", "0.2.3.2", "0.2.3", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

Arbitrary file read vulnerability in yard server

Published date: 2017-12-21T00:47:25Z
CVE: CVE-2017-17042
Links:

lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.

Affected versions: ["0.9.10", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.7.6", "0.8.7.5", "0.8.7.4", "0.8.7.3", "0.8.7.2", "0.8.7.1", "0.8.7", "0.8.6.2", "0.8.6.1", "0.8.6", "0.8.5.2", "0.8.5.1", "0.8.5", "0.8.4.1", "0.8.4", "0.8.3", "0.8.2.1", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.8", "0.6.7", "0.6.6", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.8", "0.5.7", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.5.1p1", "0.4.0", "0.2.3.5", "0.2.3.4", "0.2.3.3", "0.2.3.2", "0.2.3", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

YARD static cache reads raw traversal paths before router sanitization

Published date: 2026-06-26T22:29:29Z
CVE: CVE-2026-49342
Links:

Summary

YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree.

The potential security risk seems low, as only html-ending files can be read, but still the risk of reading arbitrary html files is a confiendtiality issue in itself, which is why we decided to report. Please let us know if this is out of your project's scope.

Details

The --docroot CLI option stores the configured directory in server_options[:DocumentRoot] at lib/yard/cli/server.rb:198, and adapter initialization copies that value into adapter.document_root at lib/yard/server/adapter.rb:76. For Rack requests, RackAdapter#call builds a request object from the Rack environment at lib/yard/server/rack_adapter.rb:58 and passes it to router.call(request) at lib/yard/server/rack_adapter.rb:60. Router#call then stores the incoming request at lib/yard/server/router.rb:55 and invokes check_static_cache before normal routing at lib/yard/server/router.rb:56. Inside check_static_cache, the only initial guard is that adapter.document_root is present at lib/yard/server/static_caching.rb:35; the cache path is built from File.join(adapter.document_root, request.path.sub(/\.html$/, '') + '.html') at lib/yard/server/static_caching.rb:36, without cleaning .. components first. If that resolved path is a regular file, File.file? accepts it at lib/yard/server/static_caching.rb:38 and the file bytes are returned as a 200 HTML response at lib/yard/server/static_caching.rb:40. The later route sanitizer in final_options uses File.cleanpath(...).gsub(...) at lib/yard/server/router.rb:181 and lib/yard/server/router.rb:182, but a static-cache hit returns before that code is reached.

PoC

poc.zip

bash ./poc/run.sh

expected output: text run 1: exit=0 timed_out=False duration=0.08s matched=True phase=oracle fingerprint='YARD_STATIC_CACHE_PATH_TRAVERSAL' run 2: exit=0 timed_out=False duration=0.08s matched=True phase=oracle fingerprint='YARD_STATIC_CACHE_PATH_TRAVERSAL' run 3: exit=0 timed_out=False duration=0.08s matched=True phase=oracle fingerprint='YARD_STATIC_CACHE_PATH_TRAVERSAL'

The YARD_STATIC_CACHE_PATH_TRAVERSAL fingerprint is emitted only after the PoC observes a 200 static-cache response whose body contains the sibling file outside the configured document root. A setup failure, syntax failure, or cache miss would not print this oracle and would not demonstrate this traversal read.

Impact

A remote unauthenticated HTTP client who can reach a YARD documentation server with DocumentRoot/--docroot enabled can request .html paths containing parent-directory components and receive readable matching files outside the configured document root. The required guards are narrow: adapter.document_root must be set, the traversed target must exist as a regular readable file, and the target must be reachable through the implementation's forced .html suffix. Those requests bypass the later final_options path cleanup because the cache check runs first. The resulting severity class is information disclosure: response bodies can contain off-root .html file contents, but this path does not show write access, code execution, or arbitrary files without the .html constraint.

Affected versions: ["0.9.43", "0.9.42", "0.9.41", "0.9.40", "0.9.39", "0.9.38", "0.9.37", "0.9.36", "0.9.35", "0.9.34", "0.9.33", "0.9.32", "0.9.31", "0.9.30", "0.9.29", "0.9.28", "0.9.27", "0.9.26", "0.9.25", "0.9.24", "0.9.23", "0.9.22", "0.9.21", "0.9.20", "0.9.19", "0.9.18", "0.9.17", "0.9.16", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.10", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.7.6", "0.8.7.5", "0.8.7.4", "0.8.7.3", "0.8.7.2", "0.8.7.1", "0.8.7", "0.8.6.2", "0.8.6.1", "0.8.6", "0.8.5.2", "0.8.5.1", "0.8.5", "0.8.4.1", "0.8.4", "0.8.3", "0.8.2.1", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.8", "0.6.7", "0.6.6", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.8", "0.5.7", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.5.1p1", "0.4.0", "0.2.3.5", "0.2.3.4", "0.2.3.3", "0.2.3.2", "0.2.3", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

Potential arbitrary file read vulnerability in yard server

Published date: 2017-11-28
CVE: 2017-17042
CVSS V2: 5.0
CVSS V3: 7.5
Links:

lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.

Affected versions: ["0.8.7.4", "0.5.2", "0.8.7.6", "0.8.7.3", "0.8.7.1", "0.5.0", "0.8.7.5", "0.8.2.1", "0.6.7", "0.6.1", "0.9.1", "0.7.5", "0.6.5", "0.6.8", "0.2.3.3", "0.6.2", "0.9.4", "0.5.1p1", "0.8.5", "0.2.3.4", "0.8.6", "0.7.2", "0.2.3", "0.6.3", "0.9.7", "0.9.6", "0.5.4", "0.7.1", "0.8.5.2", "0.7.3", "0.6.0", "0.9.3", "0.8.4.1", "0.2.3.5", "0.9.2", "0.8.7.2", "0.8.6.2", "0.8.2", "0.5.8", "0.8.1", "0.7.0", "0.8.3", "0.5.1", "0.2.2", "0.9.10", "0.9.8", "0.6.4", "0.8.6.1", "0.8.0", "0.7.4", "0.6.6", "0.9.9", "0.5.3", "0.2.1", "0.9.5", "0.8.5.1", "0.8.4", "0.5.7", "0.4.0", "0.2.0", "0.2.3.2", "0.9.0", "0.5.5", "0.8.7", "0.5.6"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

Arbitrary path traversal and file access via `yard server`

Published date: 2019-07-02
CVE: 2019-1020001
CVSS V2: 5.0
CVSS V3: 7.5
Links:

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The issue is resolved in v0.9.20 and later.

Affected versions: ["0.9.13", "0.8.7.4", "0.5.2", "0.8.7.6", "0.8.7.3", "0.8.7.1", "0.5.0", "0.9.19", "0.8.7.5", "0.8.2.1", "0.6.7", "0.6.1", "0.9.1", "0.7.5", "0.6.5", "0.6.8", "0.2.3.3", "0.6.2", "0.9.4", "0.5.1p1", "0.8.5", "0.2.3.4", "0.8.6", "0.7.2", "0.2.3", "0.6.3", "0.9.7", "0.9.6", "0.5.4", "0.7.1", "0.8.5.2", "0.7.3", "0.6.0", "0.9.16", "0.9.3", "0.8.4.1", "0.9.18", "0.9.12", "0.2.3.5", "0.9.17", "0.9.2", "0.8.7.2", "0.8.6.2", "0.9.14", "0.8.2", "0.5.8", "0.8.1", "0.7.0", "0.9.11", "0.8.3", "0.5.1", "0.2.2", "0.9.10", "0.9.8", "0.6.4", "0.8.6.1", "0.8.0", "0.7.4", "0.6.6", "0.9.9", "0.5.3", "0.2.1", "0.9.5", "0.8.5.1", "0.8.4", "0.5.7", "0.4.0", "0.9.15", "0.2.0", "0.2.3.2", "0.9.0", "0.5.5", "0.8.7", "0.5.6"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

YARD's default template vulnerable to Cross-site Scripting in generated frames.html

Published date: 2024-02-28
CVE: 2024-27285
CVSS V3: 5.4
Links:

Summary

The frames.html file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the frames.erb template file.

Details

The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the frames.erb template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.

Snippet from frames.erb: (v0.9.34) erb <script type="text/javascript"> var match = unescape(window.location.hash).match(/^#!(.+)/); var name = match ? match[1] : '<%= url_for_main %>'; name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, ''); window.top.location = name; </script>

(v0.9.35) erb <script type="text/javascript"> var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/); var name = match ? match[1] : '<%= url_for_main %>'; name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim(); window.top.location.replace(name) </script>

Impact

This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.

Affected versions: ["0.9.13", "0.8.7.4", "0.9.20", "0.5.2", "0.8.7.6", "0.8.7.3", "0.8.7.1", "0.5.0", "0.9.22", "0.9.19", "0.8.7.5", "0.8.2.1", "0.6.7", "0.6.1", "0.9.1", "0.7.5", "0.6.5", "0.6.8", "0.2.3.3", "0.6.2", "0.9.4", "0.5.1p1", "0.8.5", "0.2.3.4", "0.9.24", "0.8.6", "0.7.2", "0.2.3", "0.6.3", "0.9.7", "0.9.6", "0.5.4", "0.7.1", "0.8.5.2", "0.7.3", "0.6.0", "0.9.16", "0.9.3", "0.8.4.1", "0.9.18", "0.9.12", "0.2.3.5", "0.9.17", "0.9.2", "0.8.7.2", "0.8.6.2", "0.9.14", "0.8.2", "0.5.8", "0.8.1", "0.7.0", "0.9.11", "0.8.3", "0.5.1", "0.2.2", "0.9.10", "0.9.8", "0.6.4", "0.8.6.1", "0.8.0", "0.7.4", "0.6.6", "0.9.9", "0.5.3", "0.2.1", "0.9.5", "0.8.5.1", "0.8.4", "0.5.7", "0.4.0", "0.9.25", "0.9.21", "0.9.15", "0.2.0", "0.2.3.2", "0.9.23", "0.9.0", "0.5.5", "0.8.7", "0.5.6", "0.9.26", "0.9.27", "0.9.28", "0.9.30", "0.9.29", "0.9.31", "0.9.32", "0.9.33", "0.9.34", "0.9.35"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

Possible arbitrary path traversal and file access via yard server

Published date: 2026-04-17
CVE: 2026-41493
CVSS V3: 7.5
Links:

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The original patch in GHSA-xfhh-rx56-rxcr was incorrectly applied.

Patches

Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on --docroot.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

Affected versions: ["0.9.13", "0.8.7.4", "0.9.20", "0.5.2", "0.8.7.6", "0.8.7.3", "0.8.7.1", "0.5.0", "0.9.22", "0.9.19", "0.8.7.5", "0.8.2.1", "0.6.7", "0.6.1", "0.9.1", "0.7.5", "0.6.5", "0.6.8", "0.2.3.3", "0.6.2", "0.9.4", "0.5.1p1", "0.8.5", "0.2.3.4", "0.9.24", "0.8.6", "0.7.2", "0.2.3", "0.6.3", "0.9.7", "0.9.6", "0.5.4", "0.7.1", "0.8.5.2", "0.7.3", "0.6.0", "0.9.16", "0.9.3", "0.8.4.1", "0.9.18", "0.9.12", "0.2.3.5", "0.9.17", "0.9.2", "0.8.7.2", "0.8.6.2", "0.9.14", "0.8.2", "0.5.8", "0.8.1", "0.7.0", "0.9.11", "0.8.3", "0.5.1", "0.2.2", "0.9.10", "0.9.8", "0.6.4", "0.8.6.1", "0.8.0", "0.7.4", "0.6.6", "0.9.9", "0.5.3", "0.2.1", "0.9.5", "0.8.5.1", "0.8.4", "0.5.7", "0.4.0", "0.9.25", "0.9.21", "0.9.15", "0.2.0", "0.2.3.2", "0.9.23", "0.9.0", "0.5.5", "0.8.7", "0.5.6", "0.9.26", "0.9.27", "0.9.28", "0.9.30", "0.9.29", "0.9.31", "0.9.32", "0.9.33", "0.9.34", "0.9.35", "0.9.36", "0.9.37", "0.9.38", "0.9.39", "0.9.40", "0.9.41"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

YARD static cache reads raw traversal paths before router sanitization

Published date: 2026-06-23
CVE: 2026-49342
CVSS V3: 5.3
Links:

Summary

YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree.

The potential security risk seems low, as only html-ending files can be read, but still the risk of reading arbitrary html files is a confiendtiality issue in itself, which is why we decided to report. Please let us know if this is out of your project's scope.

Affected versions: ["0.9.13", "0.8.7.4", "0.9.20", "0.5.2", "0.8.7.6", "0.8.7.3", "0.8.7.1", "0.5.0", "0.9.22", "0.9.19", "0.8.7.5", "0.8.2.1", "0.6.7", "0.6.1", "0.9.1", "0.7.5", "0.6.5", "0.6.8", "0.2.3.3", "0.6.2", "0.9.4", "0.5.1p1", "0.8.5", "0.2.3.4", "0.9.24", "0.8.6", "0.7.2", "0.2.3", "0.6.3", "0.9.7", "0.9.6", "0.5.4", "0.7.1", "0.8.5.2", "0.7.3", "0.6.0", "0.9.16", "0.9.3", "0.8.4.1", "0.9.18", "0.9.12", "0.2.3.5", "0.9.17", "0.9.2", "0.8.7.2", "0.8.6.2", "0.9.14", "0.8.2", "0.5.8", "0.8.1", "0.7.0", "0.9.11", "0.8.3", "0.5.1", "0.2.2", "0.9.10", "0.9.8", "0.6.4", "0.8.6.1", "0.8.0", "0.7.4", "0.6.6", "0.9.9", "0.5.3", "0.2.1", "0.9.5", "0.8.5.1", "0.8.4", "0.5.7", "0.4.0", "0.9.25", "0.9.21", "0.9.15", "0.2.0", "0.2.3.2", "0.9.23", "0.9.0", "0.5.5", "0.8.7", "0.5.6", "0.9.26", "0.9.27", "0.9.28", "0.9.30", "0.9.29", "0.9.31", "0.9.32", "0.9.33", "0.9.34", "0.9.35", "0.9.36", "0.9.37", "0.9.38", "0.9.39", "0.9.40", "0.9.41", "0.9.42", "0.9.43"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

Possible arbitrary path traversal and file access via `yard server`

Published date: 2019-07-02
Links:

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

Affected versions: ["0.9.19", "0.9.18", "0.9.17", "0.9.16", "0.9.15", "0.9.14", "0.9.13", "0.9.12", "0.9.11", "0.9.10", "0.9.9", "0.9.8", "0.9.7", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.7.6", "0.8.7.5", "0.8.7.4", "0.8.7.3", "0.8.7.2", "0.8.7.1", "0.8.7", "0.8.6.2", "0.8.6.1", "0.8.6", "0.8.5.2", "0.8.5.1", "0.8.5", "0.8.4.1", "0.8.4", "0.8.3", "0.8.2.1", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.8", "0.6.7", "0.6.6", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.8", "0.5.7", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.1p1", "0.5.0", "0.4.0", "0.2.3.5", "0.2.3.4", "0.2.3.3", "0.2.3.2", "0.2.3", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [0.9.44]
Recommendation: Update to version 0.9.44.

99 Other Versions

Version License Security Released
0.9.44 MIT 2026-05-25 - 20:09 about 1 month
0.9.43 MIT 2 2026-04-18 - 06:14 3 months
0.9.42 MIT 2 2026-04-16 - 20:12 3 months
0.9.41 MIT 4 2026-04-14 - 16:15 3 months
0.9.40 MIT 4 2026-04-13 - 04:00 3 months
0.9.39 MIT 4 2026-04-08 - 16:39 3 months
0.9.38 MIT 4 2025-12-05 - 20:29 7 months
0.9.37 MIT 4 2024-09-04 - 08:51 almost 2 years
0.9.36 MIT 4 2024-02-29 - 22:19 over 2 years
0.9.35 MIT 6 2024-02-28 - 18:12 over 2 years
0.9.34 MIT 6 2023-04-12 - 21:27 about 3 years
0.9.33 MIT 6 2023-04-12 - 06:23 about 3 years
0.9.32 MIT 6 2023-04-09 - 19:25 about 3 years
0.9.31 MIT 6 2023-04-09 - 18:22 about 3 years
0.9.30 MIT 6 2023-04-09 - 17:17 about 3 years
0.9.29 MIT 6 2023-04-08 - 22:02 about 3 years
0.9.28 MIT 6 2022-06-01 - 20:20 about 4 years
0.9.27 MIT 6 2021-11-29 - 22:07 over 4 years
0.9.26 MIT 6 2020-12-27 - 00:17 over 5 years
0.9.25 MIT 6 2020-05-03 - 21:36 about 6 years
0.9.24 MIT 6 2020-01-08 - 18:36 over 6 years
0.9.23 MIT 6 2020-01-05 - 19:08 over 6 years
0.9.22 MIT 6 2019-12-31 - 20:45 over 6 years
0.9.21 MIT 6 2019-12-31 - 20:23 over 6 years
0.9.20 MIT 6 2019-06-27 - 23:37 about 7 years
0.9.19 MIT 8 2019-04-02 - 01:28 over 7 years
0.9.18 MIT 8 2019-01-22 - 02:07 over 7 years
0.9.17 MIT 8 2019-01-22 - 02:01 over 7 years
0.9.16 MIT 8 2018-08-11 - 20:39 almost 8 years
0.9.15 MIT 8 2018-07-18 - 05:09 almost 8 years
0.9.14 MIT 8 2018-06-03 - 01:44 about 8 years
0.9.13 MIT 8 2018-05-28 - 22:45 about 8 years
0.9.12 MIT 8 2017-11-26 - 20:39 over 8 years
0.9.11 MIT 8 2017-11-23 - 21:48 over 8 years
0.9.10 MIT 10 2017-11-18 - 21:52 over 8 years
0.9.9 MIT 10 2017-04-23 - 22:05 about 9 years
0.9.8 MIT 10 2017-01-13 - 19:57 over 9 years
0.9.7 MIT 10 2017-01-10 - 00:16 over 9 years
0.9.6 MIT 10 2017-01-07 - 19:40 over 9 years
0.9.5 MIT 10 2016-07-22 - 23:22 almost 10 years
0.9.4 MIT 10 2016-07-21 - 19:06 almost 10 years
0.9.3 MIT 10 2016-07-20 - 22:38 almost 10 years
0.9.2 MIT 10 2016-07-19 - 21:27 almost 10 years
0.9.1 MIT 10 2016-07-18 - 19:00 almost 10 years
0.9.0 MIT 10 2016-07-04 - 19:32 almost 10 years
0.8.7.6 MIT 10 2014-10-26 - 22:30 over 11 years
0.8.7.5 MIT 10 2014-10-26 - 10:40 over 11 years
0.8.7.4 MIT 10 2014-03-22 - 21:48 over 12 years
0.8.7.3 MIT 10 2013-11-02 - 00:17 over 12 years
0.8.7.2 MIT 10 2013-09-19 - 00:31 almost 13 years