Skip to content

[core] fix: update addressable to 2.9.0 min for CVE-2026-35611#30060

Merged
iBotPeaches merged 2 commits into
fastlane:masterfrom
orbisai0security:fix-cve-2026-35611-addressable
Jun 12, 2026
Merged

[core] fix: update addressable to 2.9.0 min for CVE-2026-35611#30060
iBotPeaches merged 2 commits into
fastlane:masterfrom
orbisai0security:fix-cve-2026-35611-addressable

Conversation

@orbisai0security

Copy link
Copy Markdown
Contributor

Summary

Upgrade addressable from 2.8.7 to >= 2.9.0 to fix CVE-2026-35611.

Vulnerability

Field Value
ID CVE-2026-35611
Severity HIGH
Scanner trivy
Rule CVE-2026-35611
File Gemfile.lock
Assessment Likely exploitable

Description: addressable: Addressable: Denial of Service via crafted URI templates

Evidence

Scanner confirmation: trivy rule CVE-2026-35611 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Changes

  • Gemfile
  • Gemfile.lock

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security

Automated dependency upgrade by OrbisAI Security
@iBotPeaches

Copy link
Copy Markdown
Member

Match is looking to have issues with these upgrades.

Executing match module load up test
/Users/runner/hostedtoolcache/Ruby/3.3.11/arm64/lib/ruby/3.3.0/rubygems/dependency.rb:301:in `to_specs': Could not find 'multi_json' (>= 1.14.1) among 157 total gem(s) (Gem::MissingSpecError)

@iBotPeaches

Copy link
Copy Markdown
Member

Hmm sorry, that appears to be an unrelated issue - googleapis/google-api-ruby-client#26611

@orbisai0security orbisai0security changed the title fix: upgrade addressable to >= 2.9.0 (CVE-2026-35611) fix: update addressable to 2.9.0 for CVE-2026-35611 Jun 6, 2026
@orbisai0security

Copy link
Copy Markdown
Contributor Author

Match is looking to have issues with these upgrades.

Executing match module load up test
/Users/runner/hostedtoolcache/Ruby/3.3.11/arm64/lib/ruby/3.3.0/rubygems/dependency.rb:301:in `to_specs': Could not find 'multi_json' (>= 1.14.1) among 157 total gem(s) (Gem::MissingSpecError)

Addressed. Pls review.

@iBotPeaches iBotPeaches left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine. Both of these versions are so old, dropping 2.8 just drops Ruby 2.0-2.2 support which isn't relevant to fastlane.

@iBotPeaches iBotPeaches changed the title fix: update addressable to 2.9.0 for CVE-2026-35611 [core] fix: update addressable to 2.9.0 min for CVE-2026-35611 Jun 8, 2026
@iBotPeaches iBotPeaches merged commit 3e11dad into fastlane:master Jun 12, 2026
9 checks passed

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @orbisai0security 👋

Thank you for your contribution to fastlane and congrats on getting this pull request merged 🎉
The code change now lives in the master branch, however it wasn't released to RubyGems yet.
We usually ship about once a month, and your PR will be included in the next one.

Please let us know if this change requires an immediate release by adding a comment here 👍
We'll notify you once we shipped a new release with your changes 🚀"

This was referenced Jul 4, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Congratulations! 🎉 This was released as part of fastlane 2.237.0 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants