Arbitrary Code Execution Affecting sprout package, versions >= 0.7.246

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    1 Dec 2013

  • disclosed

    1 Dec 2013

  • credit



sprout is a modular set of tools that take the tedium and frustration out of creating and managing programming projects by automatically installing and configuring external tools, libraries, commands and build tasks. Affected versions of this gem are vulnerable to arbitrary code execution due to a flaw in the unpack_zip() function in archive_unpacker.rb. The program fails to properly sanitize input passed via the zip_file, dir, zip_name, and output parameters which may allow a context-dependent attacker to execute arbitrary code.