With jruby 1.7.17 (and going back at least to 1.7.6 and probably longer), Regexp.union [] in ruby 1.8 mode gives // instead of /(?!)/. In ruby 1.9 mode, it gives /(?!)/. MRI 1.8.7 behavior is /(?!)/. So instead of the regexp matching nothing, this bug makes the regexp match everything.

While not a security vulnerability itself, this can potentially cause security vulnerabilities, if the result of the Regexp.union [] call is being used as a whitelist filter.