Vulnerable Library - fastlane-2.207.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (fastlane version) |
Remediation Possible** |
| CVE-2024-47220 |
 High |
7.5 |
webrick-1.7.0.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-35611 |
High |
7.5 |
addressable-2.8.0.gem |
Transitive |
N/A* |
❌ |
| CVE-2025-6442 |
 Medium |
5.9 |
webrick-1.7.0.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-25765 |
Medium |
5.8 |
faraday-1.10.0.gem |
Transitive |
N/A* |
❌ |
| CVE-2025-14762 |
Medium |
5.3 |
aws-sdk-s3-1.114.0.gem |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-47220
Vulnerable Library - webrick-1.7.0.gem
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.
Library home page: https://rubygems.org/gems/webrick-1.7.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
- fastlane-2.207.0.gem (Root Library)
- google-apis-androidpublisher_v3-0.25.0.gem
- google-apis-core-0.7.0.gem
- ❌ webrick-1.7.0.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."
Publish Date: 2024-09-22
URL: CVE-2024-47220
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2026-35611
Vulnerable Library - addressable-2.8.0.gem
Addressable is an alternative implementation to the URI implementation that is
part of Ruby's standard library. It is flexible, offers heuristic parsing, and
additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.8.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
- fastlane-2.207.0.gem (Root Library)
- ❌ addressable-2.8.0.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Publish Date: 2026-04-07
URL: CVE-2026-35611
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h27x-rffw-24p4
Release Date: 2026-04-07
Fix Resolution: addressable - 2.9.0
CVE-2025-6442
Vulnerable Library - webrick-1.7.0.gem
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.
Library home page: https://rubygems.org/gems/webrick-1.7.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
- fastlane-2.207.0.gem (Root Library)
- google-apis-androidpublisher_v3-0.25.0.gem
- google-apis-core-0.7.0.gem
- ❌ webrick-1.7.0.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability
Publish Date: 2025-06-25
URL: CVE-2025-6442
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: ruby/webrick@ee60354
Release Date: 2025-06-22
Fix Resolution: webrick - 1.8.2,https://github.com/ruby/webrick.git - v1.8.2
CVE-2026-25765
Vulnerable Library - faraday-1.10.0.gem
Library home page: https://rubygems.org/gems/faraday-1.10.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
- fastlane-2.207.0.gem (Root Library)
- ❌ faraday-1.10.0.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
CVE-2025-14762
Vulnerable Library - aws-sdk-s3-1.114.0.gem
Official AWS Ruby gem for Amazon Simple Storage Service (Amazon S3). This gem is part of the AWS SDK for Ruby.
Library home page: https://rubygems.org/gems/aws-sdk-s3-1.114.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
- fastlane-2.207.0.gem (Root Library)
- ❌ aws-sdk-s3-1.114.0.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.
Publish Date: 2025-12-17
URL: CVE-2025-14762
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xgq-q749-89fq
Release Date: 2025-12-17
Fix Resolution: aws-sdk-s3 - 1.208.0
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - webrick-1.7.0.gem
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.
Library home page: https://rubygems.org/gems/webrick-1.7.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."
Publish Date: 2024-09-22
URL: CVE-2024-47220
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Vulnerable Library - addressable-2.8.0.gem
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.8.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Publish Date: 2026-04-07
URL: CVE-2026-35611
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h27x-rffw-24p4
Release Date: 2026-04-07
Fix Resolution: addressable - 2.9.0
Vulnerable Library - webrick-1.7.0.gem
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.
Library home page: https://rubygems.org/gems/webrick-1.7.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability
Publish Date: 2025-06-25
URL: CVE-2025-6442
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: ruby/webrick@ee60354
Release Date: 2025-06-22
Fix Resolution: webrick - 1.8.2,https://github.com/ruby/webrick.git - v1.8.2
Vulnerable Library - faraday-1.10.0.gem
Library home page: https://rubygems.org/gems/faraday-1.10.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
Vulnerable Library - aws-sdk-s3-1.114.0.gem
Official AWS Ruby gem for Amazon Simple Storage Service (Amazon S3). This gem is part of the AWS SDK for Ruby.
Library home page: https://rubygems.org/gems/aws-sdk-s3-1.114.0.gem
Path to dependency file: /example/android/Gemfile.lock
Path to vulnerable library: /example/android/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.
Publish Date: 2025-12-17
URL: CVE-2025-14762
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2xgq-q749-89fq
Release Date: 2025-12-17
Fix Resolution: aws-sdk-s3 - 1.208.0