The Questionable Substitution: SQL Injection in JRuby's JDBC Adapter
Jan 17, 2026·6 min read·4 visits
Executive Summary (TL;DR)
Older versions of the `activerecord-jdbc-adapter` (< 1.2.8) used a naive `gsub` strategy to replace SQL bind parameters (`?`). If a user input string contained a `?`, the adapter effectively hallucinated a new placeholder, injecting the *next* bind parameter directly into the current string literal. This breaks SQL syntax and allows for classic SQL injection attacks.
A recursive string substitution vulnerability in the activerecord-jdbc-adapter gem allowed attackers to inject malicious SQL by simply including a question mark in their input. This flaw affects JRuby applications connecting to databases via JDBC.
Official Patches
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:PAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
activerecord-jdbc-adapter RubyGems | < 1.2.8 | 1.2.8 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | SQL Injection (Recursive Substitution) |
| CWE ID | CWE-89 |
| CVSS Score | 8.8 (High) |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
| Attack Vector | Network |
| Affected Component | lib/arjdbc/jdbc/adapter.rb |
MITRE ATT&CK Mapping
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.