Marshal madness: A brief history of Ruby deserialization exploits -The Trail of Bits Blog

Documenting the evolution of exploitation techniques serves a crucial purpose in security engineering: it helps us understand not just individual vulnerabilities but the systemic patterns that resist conventional fixes. The story of deserialization exploits in Ruby’s Marshal module offers a uniquely well-documented case study of this phenomenon. That is, a decade-long cycle of patches and bypasses that reveals the futility of addressing symptoms rather than root causes. This history matters because it demonstrates why certain classes of vulnerabilities persist despite our best efforts. By tracing how we got here, we can better understand why fundamental changes to the Ruby ecosystem are necessary, rather than continued reliance on the patch-and-hope approach that has thus far failed to solve the problem.