CVE-2021-43809 | Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile

Exp

`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.

Published: 2021-12-08 Last update: 2025-11-03 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-43809 is rated High Exploit Risk (70.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.55%). 2 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2021-43809

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2021-43809

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-24 1.32% 1.55% +0.23%
2 2026-04-19 1.56% 1.32% -0.24%
3 2025-12-19 1.56%

Full EPSS history (30 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-43809

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.7 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 0.8 5.9 [email protected]
7.3 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.3 5.9 [email protected]
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2021-43809

GitHub Security Advisory for CVE-2021-43809

GHSA-fj7f-vq84-fh43 · Severity: medium · Ecosystem: rubygems — Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.

OS Trackers for CVE-2021-43809

vendor priority summary link
alpine CVE-2021-43809: 1 source package rows (ruby-bundler); 1 state rows across 1 repos (3.12-main); fixed 0, open 1. https://security.alpinelinux.org/vuln/CVE-2021-43809
debian not yet assigned CVE-2021-43809 not yet assigned priority: Debian including 1 source packages (rubygems), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2021-43809
gentoo normal CVE-2021-43809: 1 GLSA(s) (202408-22), 1 atom(s) (dev-ruby/bundler); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-43809
redhat medium https://access.redhat.com/security/cve/CVE-2021-43809
suse high CVE-2021-43809 severity important: SUSE including 268 source package names (2.19-54.2:ruby2.5-rubygem-bundler-1.16.1-150000.3.6.1, 2.5-29.2:ruby2.5-rubygem-bundler-1.16.1-150000.3.6.1, …), 338 product×package rows across 75 product lines (Container bci/ruby, Container suse/rmt-server, … (75 product lines)): Known Affected 231, Fixed 107. https://www.suse.com/security/cve/CVE-2021-43809/
ubuntu medium CVE-2021-43809 medium priority: Ubuntu including 1 source packages (bundler), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 9, ignored 2, needed 2, needs-triage 2. https://ubuntu.com/security/CVE-2021-43809

Affected software / configurations for CVE-2021-43809

Vendor Product Version Raw CPE
bundler bundler < 2.2.33 cpe:2.3:a:bundler:bundler:*:*:*:*:*:ruby:*:*

References for CVE-2021-43809

cvelogic Threat Intelligence