High severityNVD Advisory· Published Jan 13, 2013· Updated Apr 29, 2026

CVE-2013-0156

Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
actionpackRubyGems	< 2.3.15	2.3.15
actionpackRubyGems	>= 3.0.0, < 3.0.19	3.0.19
actionpackRubyGems	>= 3.1.0, < 3.1.10	3.1.10
actionpackRubyGems	>= 3.2.0, < 3.2.11	3.2.11

Affected products

Rubyonrails/Rails
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Range: >=3.2.0,<3.2.11
Rubyonrails/Ruby On Rails
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
Range: <2.3.15
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

ics-cert.us-cert.gov/advisories/ICSA-13-036-01AnvdThird Party AdvisoryUS Government Resource
lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlnvdMailing ListThird Party Advisory
rhn.redhat.com/errata/RHSA-2013-0153.htmlnvdThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2013-0154.htmlnvdThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2013-0155.htmlnvdThird Party AdvisoryWEB
weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/nvdVendor Advisory
www.debian.org/security/2013/dsa-2604nvdThird Party AdvisoryWEB
www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.htmlnvdThird Party AdvisoryWEB
www.insinuator.net/2013/01/rails-yaml/nvdThird Party Advisory
www.kb.cert.org/vuls/id/380039nvdThird Party AdvisoryUS Government ResourceWEB
www.kb.cert.org/vuls/id/628463nvdThird Party AdvisoryUS Government ResourceWEB
community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-jmgw-6vjg-jjwgghsaADVISORY
groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89dnvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2013-0156ghsaADVISORY
puppet.com/security/cve/cve-2013-0156nvdThird Party Advisory
weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-releasedghsaWEB
www.insinuator.net/2013/01/rails-yamlghsaWEB
web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlghsaWEB
web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01AghsaWEB
web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.074
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000