CVE-2025-27220 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
mitre	CNA	4 MEDIUM				CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 68%

Affected Products (NVD)

Vendor	Product	Version
ruby-lang	cgi	𝑥 < 0.3.5.1
ruby-lang	cgi	0.4.0 ≤ 𝑥 < 0.4.2
ruby-lang	cgi	0.3.6

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

ruby2.3

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	Fixed 2.3.1-2~ubuntu16.04.16+esm10 released

ruby2.5

bionic	Fixed 2.5.1-1ubuntu1.16+esm4 released
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

ruby2.7

focal	Fixed 2.7.0-5ubuntu1.18 released
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

ruby3.0

focal	dne
jammy	Fixed 3.0.2-7ubuntu2.10 released
noble	dne
oracular	dne
plucky	dne
questing	dne

ruby3.2

focal	dne
jammy	dne
noble	Fixed 3.2.3-1ubuntu0.24.04.5 released
oracular	dne
plucky	dne
questing	dne

ruby3.3

focal	dne
jammy	dne
noble	dne
oracular	Fixed 3.3.4-2ubuntu5.2 released
plucky	Fixed 3.3.7-1ubuntu2 released
questing	Fixed 3.3.7-1ubuntu2 released

jruby

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	needs-triage
oracular	ignored
plucky	ignored
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml

https://hackerone.com/reports/2890322

https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html