v0.4.25
Important
The 0.4.x release branch will only receive security fixes, and will be unsupported when ruby 3.3 is EOL.
Please upgrade to a newer version.
What's Changed
Special thanks to @hsbt for backporting most of these PRs, in #707!
🔒 Security
This release fixes several more security vulnerabilities which are related to the fixes in v0.4.24. Please see the linked security advisories for more information.
- (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
This vulnerability depends how the server interprets non-synchronizing literals.
The connection is not vulnerable if the server supports non-synchronizing literals.- 🥅 Validate non-synchronizing literals support (backports #701)
- (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
- (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
Fixed
- Remove dead code resulting from cherry-pick of 6f82e28. by @jackorp in #706
- 🏷️ Allow 64-bit Integer arguments (backports #675)
- 🥅 Validate that Atom and Flag are not empty (backports #684)
- 🧵 Fix deadlock in
#disconnect(backports #686)
Documentation
⚠️ Boost visibility of raw data argument documentation warnings (backports #677)
Other Changes
- 🧵 Close socket in #disconnect before waiting for lock & thread join (backports #493)
- 🥅 Ensure send_number_data input is an Integer (backports #676)
- ♻️ Improve
RawData.new, AddRawData.split(backports #679) - 🥅 Validate response literal byte size format (backports #681)
Miscellaneous
- ✅ Fix flaky tests with
FakeServer#Connection#closemutex (backports half of #520 - ✅ Improvements to tests' FakeServer (backports #678)
- Backport the security fixes to v0.4 for a 0.4.25 release by @hsbt in #707
New Contributors
Full Changelog: v0.4.24...v0.4.25