DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-Q66H-M87M-J2Q6: Coin Toss to Shell: Unmasking the bitcoinrb RPC Command Injection

#security #cve #cybersecurity #ghsa

Coin Toss to Shell: Unmasking the bitcoinrb RPC Command Injection

Vulnerability ID: GHSA-Q66H-M87M-J2Q6
CVSS Score: 9.8
Published: 2026-02-10

A critical Command Injection vulnerability was discovered in the bitcoinrb RubyGem, a Ruby implementation of the Bitcoin protocol. The flaw stems from insecure dynamic method dispatch in the RPC server component, specifically the misuse of Ruby's Object#send method. By crafting a malicious JSON-RPC request, an unauthenticated attacker can invoke arbitrary Ruby Kernel methods—such as system or exec—effectively turning a Bitcoin node into a remote shell. This vulnerability affects all versions prior to 1.12.0.

TL;DR

The bitcoinrb gem's RPC server blindly trusts user input when invoking methods, allowing attackers to execute system commands via the JSON method field. If you run a node with this gem exposed, your server is compromised. Update to v1.12.0 immediately.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Command Injection / Unsafe Reflection
  • Attack Vector: Network (RPC Interface)
  • Affected Component: lib/bitcoin/rpc/http_server.rb
  • Dangerous Method: Object#send
  • CVSS Score: 9.8 (Critical)
  • Patch Version: 1.12.0

Affected Systems

  • bitcoinrb < 1.12.0
  • bitcoinrb: < 1.12.0 (Fixed in: 1.12.0)

Code Analysis

Commit: 0703271

Fix RCE by whitelisting RPC commands

@@ -1,5 +1,18 @@
+SUPPORTED_COMMANDS = %w[
+  getblockchaininfo
+  stop
...]
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Generated: Curl command injecting 'system' method into RPC request.

Mitigation Strategies

  • Update bitcoinrb to version 1.12.0 immediately.
  • Restrict network access to the RPC port (default 8332).
  • Implement strong RPC authentication.

Remediation Steps:

  1. Stop the running ruby process.
  2. Run bundle update bitcoinrb to fetch version 1.12.0.
  3. Verify the version with bundle list bitcoinrb.
  4. Restart the application.
  5. Review logs for past exploitation attempts.

References

Read the full report for GHSA-Q66H-M87M-J2Q6 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)