---
engine: ruby
cve: 2018-8780
url: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
title: Unintentional directory traversal by poisoned NUL byte in Dir
date: 2018-03-28
description: |
  There is an unintentional directory traversal in some methods in `Dir`

  `Dir.open`, `Dir.new`, `Dir.entries` and `Dir.empty?` accept the path of the
  target directory as their parameter. If the parameter contains NUL (`\0`)
  bytes, these methods recognize that the path is completed before the NUL bytes.
  So, if a script accepts an external input as the argument of these methods, the
  attacker can make the unintentional directory traversal.

  All users running an affected release should upgrade immediately.
patched_versions:
  - "~> 2.2.10"
  - "~> 2.3.7"
  - "~> 2.4.4"
  - "~> 2.5.1"
  - "> 2.6.0-preview1"