CVE-2026-33170: Ruby String Subclass State Loss
Missing state propagation when creating new string subclass instances. When wrapping the result of `super` in a new instance via `self.class.new(...)` in a `String` subclass, security-critical variables (like `@html_safe` in `SafeBuffer`) are lost because `initialize` resets them to defaults. This can cause explicit unsafe flags to be dropped during string o
Rubyβgreprules fetch cve-2026-33170-ruby-string-subclass-state-loss --engine opengrepDescription
Missing state propagation when creating new string subclass instances. When wrapping the result of `super` in a new instance via `self.class.new(...)` in a `String` subclass, security-critical variables (like `@html_safe` in `SafeBuffer`) are lost because `initialize` resets them to defaults. This can cause explicit unsafe flags to be dropped during string o
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0