The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.
karo project karo 2.3.8