Word has it that Ruby 1.8.5 and below (i.e. all versions of Ruby) have a security flaw in its cgi.rb file that will allow a remote hacker to cause your application to max out your CPU usage and essentially launch a denial-of-service attack with a single request.

There’s a nice write-up of it on Evan Weaver’s blog. According to Evan and Zed Shaw, Rails apps using mongrel and Litespeed are also affected. The original announcement from Zed is on the mailing list here.

Thanks to Pat Eyler for the tip-off.