🚨 [security] Update cgi 0.4.1 → 0.4.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ cgi (indirect, 0.4.1 → 0.4.2) · Repo

Security Advisories 🚨

🚨 CGI has Denial of Service (DoS) potential in Cookie.parse

There is a possibility for DoS by in the cgi gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.

Details

CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.

Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.

Affected versions

cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.

Credits

Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.

🚨 CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement

There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.

Details

The regular expression used in CGI::Util#escapeElement is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.

This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.

Affected versions

cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.

Credits

Thanks to svalkanov for discovering this issue.
Also thanks to nobu for fixing this vulnerability.

Release Notes

0.4.2

What's Changed

• Exclude older than 2.6 on macos-14 by @nobu in #49
• Make PStore tests as optional by @hsbt in #50
• Enabled trusted publisher for rubygems.org by @hsbt in #51
• Fix escapeElement and CGI::Cookie.parse by @hsbt in #52

Full Changelog: v0.4.1...v0.4.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Bump up v0.4.2
• Escape/unescape unclosed tags as well
• Use String#concat instead of String#+ for reducing cpu usage
• Bump up 0.4.2.beta2
• Bump up 0.4.2.beta1
• Enabled trusted publisher for rubygems.org
• Use license files same as ruby/ruby
• Make PStore tests as optional
• Exclude older than 2.6 on macos-14

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)