RubyGems security

One recent problem with RubyGems security was a Request hijacking vulnerability. As described by the vulnerability researchers, RubyGems has a “Gem Server Discovery” functionality, which relies on DNS SRV records to finding a gem server. These records may contain any URL, so it was vulnerable to DNS hijacking attacks. Update your RubyGems version to the latest: gem update --system

Other RubyGems security measures

  • Use only HTTPS gem sources. Run gem sources to check the sources and use the --add and --remove instructions to add and remove sources from the list.
  • Check the gem source in the beginning of your Gemfile, it should be HTTPS: source ""
  • Also, you shouldn’t use the git:// protocol as a gem source because it’s using HTTP, replace it with the HTTPS version.
  • You shouldn’t use the :github parameter until Bundler 2 comes out as right now that will also use the git:// protocol.
    However, if you still want to use that handy shortcut to centralize the gem sources, you can override the :github shortcut with your own HTTPS git source at the beginning of your Gemfile: See the “custom git sources” section in the bundler doc.
    git_source(:github) do |repos_name|
     repos_name = "#{repos_name}/#{repos_name}" unless repos_name.include?("/")
  • Also, if you use more than one source in your Gemfile, use source blocks instead of source attributes. So no gem "personal-gem", source: "", but
    source "" do
      gem "personal-gem"
    This is until bundler solves this problem.