Earlier today the JRuby team was informed of a low-severity vulnerability in the bcrypt-ruby gem. We worked with the library's maintainers to arrange a fix and disclosure. The issue is now fixed in versions 3.1.22 and higher. Exposure risk is low, but upgrading is recommended.

CVE-2026-33306: Integer Overflow Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby

https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954