{"id":"CVE-2025-27220","details":"In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.","aliases":["GHSA-mhwm-jh88-3gjf"],"modified":"2026-04-17T13:29:12.863093465Z","published":"2025-03-04T00:15:31.693Z","related":["ALSA-2025:4063","ALSA-2025:4488","CGA-9mpc-wqhj-mv2j","SUSE-SU-2025:1369-1","SUSE-SU-2025:4264-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml"},{"type":"REPORT","url":"https://hackerone.com/reports/2890322"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/cgi","events":[{"introduced":"0"},{"fixed":"9f7e78ece68a2cab7531d5e1111ec2e4d5344ad9"},{"introduced":"6ddd5fc7d76b43b518b51277aecfb77fb5cad9ba"},{"fixed":"ab84b7fe6624faeba21fb52acac33ea678366e11"}]}],"versions":["v0.4.0","v0.4.1","v0.4.2.beta1","v0.4.2.beta2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27220.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}