A vulnerability was found in Ruby LSP, an implementation of the language server protocol for Ruby. The rubyLsp.branch VS Code workspace setting was interpolated into a generated Gemfile without proper sanitization. If a malicious .vscode/settings.json file is present in a project, opening that workspace can cause arbitrary Ruby code to be executed, giving an attacker full control of the user’s environment. This weakness is identified as CWE-94: Improper Control of Generation of Code or Logic.

The issue affects Shopify’s Ruby LSP implementation. Versions prior to Shopify.ruby-lsp 0.10.2 and ruby-lsp 0.26.9 are vulnerable. The product is named Shopify.ruby-lsp for the repository Shopify/ruby-lsp. Users running the older versions should consider updating. No other vendors or product versions were listed as affected.

The CVSS base score of 7.1 indicates a high severity, and the vulnerability is classified as a local risk that requires the user to open a compromised workspace. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog. Because the exploit vector requires a malicious settings file in the project, an attacker would need to gain access to a developer’s filesystem or supply a malicious project, which limits the scope but still poses a significant threat to developers who open third‑party projects. Prompt patching is recommended to mitigate this risk.