Ruby Marshal Deserialization Exploits: A Decade in Review

This article traces the evolution of Ruby Marshal deserialization exploits from an initial bug report in 2013 to modern industrialized gadget discovery. It highlights key milestones: Charlie Somerville’s 2013 bug tracker issue, Phrack’s 2016 proof-of-concept, Luke Jahnke’s 2018 universal RCE payload, and successive gadget chains from security researchers. The modern era features advanced tooling—CodeQL queries and Semgrep rules—to detect unsafe deserialization. Despite patches in Ruby 3.2 and safe YAML defaults, new gadgets continue to emerge, underscoring the futility of patch-and-hope. The article concludes with actionable recommendations: audit code for Marshal.load usage, adopt safe_load and JSON, and gradually deprecate Ruby Marshal with a safe_load API and runtime warnings. These steps aim to eliminate arbitrary code execution vulnerabilities tied to Ruby Marshal deserialization.