Marshal Madness: a Brief History of Ruby Deserialization Exploits

Posted5 months agoActive4 months ago

pentestercrab

25 points

4 comments

blog.trailofbits.comTechstory

calmnegative

Debate

0/100

Ruby Deserialization ExploitsSecurity VulnerabilitiesSoftware Development

Key topics

Ruby Deserialization Exploits

Security Vulnerabilities

Software Development

A brief history of Ruby deserialization exploits and their security implications.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

90-96h

Avg / period

Key moments

01Story posted
Aug 20, 2025 at 7:41 AM EDT
5 months ago
Step 01
02First comment
Aug 24, 2025 at 5:20 AM EDT
4d after posting
Step 02
03Peak activity
2 comments in 90-96h
Hottest window of the conversation
Step 03
04Latest activity
Aug 24, 2025 at 8:20 AM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (4 comments)

Showing 4 comments

Alifatisk

4 months ago

2 replies

Does Marshal dumps work across different computers or is it only compitable with the same computer that dumped the Marshal?

mook

4 months ago

I very vaguely recall that the format works across machines (and it was used in old versions of RPGMaker)? Looks like it's actually documented now, since https://docs.ruby-lang.org/en/2.1.0/marshal_rdoc.html has a description.

zoky

4 months ago

As a general rule they will work anywhere, as long as the major version of the Marshal format is the same, and this hasn’t changed since Ruby 1.8. I expect if it ever did change (I can’t see any reason for it to ever do so though) there would probably be some sort of backwards compatibility available, as the Ruby community really hates making breaking changes between language versions, especially without offering some kind of relatively easy solution for making older code work.

kayodelycaon

4 months ago

I thought Marshal and non-safe yaml are fundamentally unsafe. You’re allowing input to instantiate arbitrary objects. It’s relatively easy to find an exploitable class.

Python’s pickle function is equivalent and has a warning about this.

View full discussion on Hacker News

ID: 44960942Type: storyLast synced: 11/20/2025, 11:38:14 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN