CVE-2009-1904

Exp

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.

Published: 2009-06-11 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2009-1904

EPSS CVSS CWE Exploit-DB Affected OS Tracker

Conclusion & alert: CVE-2009-1904 is rated High Exploit Risk (73/100): CVSS Medium severity, with high exploitation likelihood (EPSS 8.38%, 94th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +5.82% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2009-1904

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2009-1904

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	2.56%	8.38%	+5.82%
2	2026-06-04	6.79%	2.56%	-4.23%
3	2026-06-03	—	6.79%	—

Full EPSS history (27 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-1904

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	10.0	2.9	[email protected]

Weakness enumeration for CVE-2009-1904

CWE-189 MITRE ↗

OS Trackers for CVE-2009-1904

vendor	priority	summary	link
`gentoo`	normal	CVE-2009-1904: 1 GLSA(s) (200906-02), 1 atom(s) (dev-lang/ruby); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-1904
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2009-1904
`ubuntu`	medium	CVE-2009-1904 medium priority: Ubuntu including 2 source packages (ruby1.8, ruby1.9), 20 status rows across 10 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): released 9, not-affected 5, DNE 3, ignored 2, needs-triage 1.	https://ubuntu.com/security/CVE-2009-1904

Affected software / configurations for CVE-2009-1904

Vendor	Product	Version	Raw CPE
ruby-lang	ruby	1.8.6	cpe:2.3:a:ruby-lang:ruby:1.8.6:::::::*
ruby-lang	ruby	1.8.7	cpe:2.3:a:ruby-lang:ruby:1.8.7:::::::*

References for CVE-2009-1904

URL	Tags
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689	Patch
http://bugs.gentoo.org/show_bug.cgi?id=273213
http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master	Patch
http://groups.google.com/group/rubyonrails-security/msg/fad60751e2b9b4f6?dmode=source
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html
http://osvdb.org/55031
http://redmine.ruby-lang.org/issues/show/794	Exploit Patch
http://secunia.com/advisories/35399	Vendor Advisory
http://secunia.com/advisories/35527
http://secunia.com/advisories/35593
http://secunia.com/advisories/35699
http://secunia.com/advisories/35937
http://secunia.com/advisories/37705
http://security.gentoo.org/glsa/glsa-200906-02.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.430805
http://support.apple.com/kb/HT4077
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby/	Patch
http://www.mandriva.com/security/advisories?name=MDVSA-2009:160
http://www.redhat.com/support/errata/RHSA-2009-1140.html
http://www.ruby-forum.com/topic/189071
http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/	Patch Vendor Advisory
http://www.securityfocus.com/bid/35278
http://www.securitytracker.com/id?1022371
http://www.ubuntu.com/usn/USN-805-1
http://www.vupen.com/english/advisories/2009/1563
https://bugs.launchpad.net/bugs/385436
https://bugs.launchpad.net/bugs/cve/2009-1904
https://exchange.xforce.ibmcloud.com/vulnerabilities/51032
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00731.html

cvelogic Threat Intelligence