🚨 [security] [ruby] Update bcrypt 3.1.21 → 3.1.22 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ bcrypt (3.1.21 → 3.1.22) · Repo · Changelog

Security Advisories 🚨

🚨 bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby

Impact

An integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen.

The JRuby implementation of bcrypt-ruby (BCrypt.java) computes the key-strengthening round count as a signed 32-bit integer. When cost=31 (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes zero iterations. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain.

The resulting hash looks valid ($2a$31$...) and verifies correctly via checkpw, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a $2a$31$ hash.

Patches

This problem has been fixed in version 3.1.22

Workarounds

Set the cost to something less than 31.

Release Notes

3.1.22

What's Changed

• Move compilation after bundle install by @tenderlove in #291
• Add TruffleRuby in CI by @tjschuck in #293
• fix env url by @tenderlove in #294

Full Changelog: v3.1.21...v3.1.22

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Merge commit from fork
• bump version update changelog
• Fix integer overflow in JRuby BCrypt rounds calculation
• Merge pull request #294 from bcrypt-ruby/fix-publishing
• fix env url
• Merge pull request #293 from bcrypt-ruby/truffleruby-ci-alt-implementation
• Add TruffleRuby in CI
• Merge pull request #291 from tenderlove/fix-publishing
• Move compilation after bundle install

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)