---
gem: slanger
cve: 2019-1010306
ghsa: rg32-m3hf-772v
url: https://github.com/stevegraham/slanger/pull/238
date: 2019-07-16
title: Arbitrary command execution in slanger
description: |
  A remote attacker can execute arbitrary commands by sending a crafted request to the server.

  This is due to the use of `Oj.load` instead of `Oj.strict_load` when processing messages.

  Note that `slanger` is no longer maintained.
patched_versions:
  - ">= 0.6.1"
cvss_v3: 9.8