CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class | Ruby

Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes: Ruby on Rails applications that import untrusted serialized data – any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC Ruby tools that import untrusted serialized data – any tool using Marshal.load for caching, data import, or IPC Legacy Rails apps (pre-7.0) that still use Marshal for cookie session serialization Details ERB implements an @_init guard to prevent code execution when ERB objects are reconstructed via Marshal.load on untrusted data. However, ERB#def_method, ERB#def_module, and ERB#def_class evaluate the template source without checking this guard, allowing an attacker who controls the data passed to Marshal.load to bypass the protection and execute arbitrary code. In particular, def_module takes no arguments, making it straightforward to invoke as part of a deserialization gadget chain.