CVE-2021-21289

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.

Published: Feb 2, 2021
Updated: Nov 16, 2025
CVE: CVE-2021-21289
GHSA: GHSA-qrqm-fpv6-6r8g
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CVSS v2:

Severity: High
Score: 7.6
AV:N/AC:H/Au:N/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
mechanize_project / mechanize	2.0	2.7.7
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
debian / debian_linux	9.0	9.0.x
mechanize	2.0.0	2.7.7

Vulnerability Database

309,130

CVE-2021-21289

Deep Security Visibility Without the Complexity