A security advisory (CVE-2026-33306) discloses an integer overflow bug in the JRuby implementation of bcrypt-ruby. When the bcrypt cost parameter is set to 31, a signed 32-bit integer overflow causes the key-strengthening loop to execute zero iterations instead of 2^31, effectively reducing bcrypt to constant-time computation.

1m read timeFrom rubysec.com
Post cover image
Table of contents
ADVISORIESGEMPATCHED VERSIONSDESCRIPTIONImpactPatchesWorkaroundsRELATED

Sort: