Fix guide · low · exposed_gemfile_lock
Ruby Gemfile.lock file exposed
What this rule means
Your /Gemfile.lock is reachable. It lists every Ruby gem in your app with exact versions. Useful for attackers cross-referencing against public CVEs.
Why it matters
Same shape as composer.lock but for Ruby: Gemfile.lock pins exact gem versions. Attackers parse it to find known CVEs applicable to your stack.
Common targets cross-referenced from a leaked Gemfile.lock:
- rails — every minor version has had at least one CVE; an out-of-date Rails is the most direct exploitation path.
- devise — auth gem with several historical CVEs.
- nokogiri — XML parsing, libxml2 CVEs propagate here.
- rack — every Rack-based Ruby app uses it; CVE surface is wide.
Reconnaissance, not direct credential leak.
How to fix it
- Block
Gemfile.lockat the web server. It belongs in source control, not in production HTTP. - Run
bundle auditas part of CI to catch known CVEs in your gems. - For Rails apps, the default layout keeps
Gemfile.lockoutside the public root — confirm yours hasn't been broken by a custom deploy script. - Keep gems patched. Subscribe to the Ruby security mailing list or monitor GitHub Advisory Database.
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection