DEV Community

Germán Alberto Gimenez Silva
Germán Alberto Gimenez Silva

Posted on • Originally published at rubystacknews.com on

Ruby 4.0.3 Released: Critical ERB Deserialization Fix

#programming #software #ruby #rails

Ruby 4.0.3 Released: Critical ERB Deserialization Fix
Ruby 4.0.3 Released: Critical ERB Deserialization Fix

April 21, 2026

Introducing

MapView

Render beautiful, production-ready maps directly from your Ruby backend. No external APIs. No dependencies. Just pure speed and control.


Zero external dependencies


Lightning-fast rendering


Production-ready & battle-tested

<!-- Primary CTA -->Try the Live Demo →<!-- Secondary CTA -->Read Docs

April 21, 2026 Ruby 4.0.3 has been released with a critical security fix for a deserialization vulnerability in ERB that could lead to arbitrary code execution.

The Issue (CVE-2026-41316)

A flaw in ERB allows code execution when objects are reconstructed via Marshal.load on untrusted data.

ERB includes an @_init guard to prevent this but three methods bypass it:

  • ERB#def_method
  • ERB#def_module
  • ERB#def_class

These can evaluate template code without the guard, making them usable in deserialization attack chains.

Who Is Affected?

Any application that:

  • uses Marshal.load on untrusted data
  • loads both ERB and ActiveSupport

👉 Read the full article.

Ruby 4.0.3 Released: Critical ERB Deserialization Fix – Linking Ruby knowledge from the most remote places in the world.

Ruby 4.0.3 Released: Critical ERB Deserialization Fix April 21, 2026 Scan to try 🎯 Live Demo Available Introducing MapView Render beautiful, production-ready maps directly from your Ruby backend. N…

favicon rubystacknews.com

Article content

Top comments (0)