A critical security vulnerability (CVSS 9.8) in the ruby-lsp gem allows arbitrary Ruby code execution. The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, meaning opening a malicious repository containing a crafted .vscode/settings.json could execute code with the user's privileges. The fix removes the branch setting entirely. VS Code extension users should be on >= 0.10.2 and gem users should update to >= 0.26.9.
Sort: