The Ruby gem installation process has a vulnerability known as lockfile injection, where a malicious user can modify the Gemfile.lock file to contain different dependencies than those specified in the Gemfile manifest, potentially leading to arbitrary code execution. This attack is made possible by the fact that lockfiles are machine-generated and not often reviewed during code reviews. The vulnerability exists because Ruby does not allow package maintainers to execute arbitrary commands during install time, unlike some other package managers. However, this can be mitigated by using automated tools to manage dependencies, reviewing code changes carefully, and using flags like `--deployment` with `bundle install`.