Security Modules Hub

Bring your software development workflows to security


Ruby unpack Integer Overflow

Signals & Triggers

On String#unpack call
If argument @ triggers an integer overflow in the format string


  • Block the HTTP request Block the HTTP request


  • Send an email to all team members Send an email to all team members
  • Send a Slack notification. Send a Slack notification.
  • POST to your Webhook. POST to your Webhook.
  • Send to New Relic Insights. Send to New Relic Insights.


CVE-2018-8778 is a buffer under-read that is triggered by String#unpack. This method decodes str according to the provided string format, returning an array of each value extracted. It can specify the position of the data being parsed by the specifier @.

If a significant number is passed with @, the number is treated as a negative value, and unpack skips a negative amount of bytes. This is where the out-of-buffer read occurs. So an attacker could use this to read sensitive data on the heap. This article explains the vulnerability in detail.

This page describes the vulnerable versions of Ruby..

Advanced details

Sqreen hooks the String#unpack method and checks that the argument containing @ (if any) doesn’t include a large offset in the format string. The key here is to make sure this format string is not coming from the current request parameters.

So the rule we implemented looks a bit like:

return false unless format_string.include?('@')
return false unless user_parameters.include?(format_string)
offset = parse(format_string)
return offset > TWO_GIGABYTES

Language support

  • Ruby

Data collected by Sqreen



On attack
  • Malicious request
  • Attacker IP
  • Attacker account (Sqreen SDK)

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • Go
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" > config/sqreen.yml

$ curl -s > && bash your token

$ pip install sqreen

$ echo -e "[sqreen]\ntoken: your token" > sqreen.ini

$ curl -o sqreen.jar

Request your beta access for the Go agent Request beta

Build amazing products. Keep them safe.

5 min installation · Try all features for 14 days · No credit card required Sign up Request demo