CVE-2017-10784 in macOS
Summary
by MITRE
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/10/2026
The vulnerability identified as CVE-2017-10784 represents a critical security flaw within the WEBrick HTTP server library that ships with Ruby programming language. This issue affects multiple versions of Ruby including those before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1, making it a widespread concern for developers and system administrators who rely on Ruby-based web applications. The vulnerability specifically targets the Basic authentication implementation within WEBrick, which serves as a built-in HTTP server for Ruby applications and is commonly used in development environments and simple web services.
The technical flaw stems from improper input validation in the Basic authentication handling mechanism of WEBrick. When a user attempts to authenticate with a crafted username containing terminal emulator escape sequences, the system fails to properly sanitize this input before logging it. These escape sequences, typically used to control terminal behavior such as color formatting, cursor positioning, or screen clearing, are not properly filtered or escaped during the logging process. This inadequate sanitization creates a condition where maliciously constructed usernames can contain sequences that manipulate the terminal output when logged by WEBrick, potentially allowing attackers to inject commands that execute in the context of the web server process.
The operational impact of this vulnerability extends beyond simple logging manipulation and can potentially lead to arbitrary code execution on affected systems. When terminal escape sequences are logged, they may be interpreted by terminal emulators or log viewing applications, creating opportunities for attackers to execute commands with the privileges of the web server process. This represents a significant escalation from a simple logging vulnerability to a potential remote code execution vector, particularly in environments where logs are viewed in terminal emulators or processed by applications that interpret escape sequences. The vulnerability can be exploited by remote attackers without requiring authentication to the web service itself, making it particularly dangerous for publicly accessible Ruby applications.
This vulnerability maps to CWE-77 and CWE-74 within the Common Weakness Enumeration framework, specifically addressing weaknesses in command injection and improper neutralization of special elements used in a command. The attack pattern aligns with techniques documented in the MITRE ATT&CK framework under the T1059.007 sub-technique for Command and Scripting Interpreter: PowerShell, though the specific exploitation mechanism in this case involves terminal escape sequences rather than PowerShell directly. Organizations using Ruby applications with WEBrick should consider this vulnerability as part of their broader security posture assessment, particularly in development environments where terminal-based logging is common. The remediation strategy focuses on upgrading to patched versions of Ruby where the input sanitization has been improved to properly escape or filter terminal escape sequences before logging user-provided data. Additionally, implementing proper input validation at multiple layers of the application architecture can provide defense-in-depth against similar vulnerabilities in other components.