Marshal madness: A brief history of Ruby deserialization exploits

Summary

Documenting the evolution of exploitation techniques serves a crucial purpose in security engineering: it helps us understand not just individual vulnerabilities but the systemic patterns that resist conventional fixes. The story of deserialization exploits in Ruby’s Marshal module offers a uniquely well-documented case study of this phenomenon. That is, a decade-long cycle of patches and bypasses that reveals the futility of addressing symptoms rather than root causes.This history matters because it demonstrates why certain classes of vulnerabilities persist despite our best efforts. By tracing how we got here, we can better understand why fundamental changes to the Ruby ecosystem are necessary, rather than continued reliance on the patch-and-hope approach that has thus far failed to solve the problem.It’s worth noting that Trail of Bits has been documenting Ruby deserialization bugs since at least 2015, although these are in JSON and YAML data formats. Hal Brodigan, a Trail of Bits employee from 2012 to 2015, documented even earlier Ruby examples as well. Additionally, Java has CVEs going back to 2011 and PHP to 2007 regarding deserialization of untrusted data. For this reason, I’ve decided to focus primarily on Ruby Marshal deserialization in this post and avoid the long-tail of all serialization formats and programming languages. And with that, here is a brief look at the evolution of Marshal deserialization exploits:Understanding Marshal deserialization vulnerabilitiesIt’s December 12, 2024. Somewhere in the Ruby language’s CI servers version 3.4.0-rc1 has just been released. Unbeknownst to Ruby developers, a subtle bug exists that allows for Marshal deserialization exploitation. This code had not been touched for 16 years, so there’s no reason to suspect a thing. However, a few weeks prior Luke Jahnke had published a new Marshal exploitation technique, but word had not gotten around yet. Just before Christmas day a patch is merged and Ruby 3.4.0 is eventually ...