High severityNVD Advisory· Published Apr 25, 2013· Updated Jun 16, 2026
CVE-2013-0175
CVE-2013-0175
Description
multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
multi_xmlRubyGems | < 0.5.2 | 0.5.2 |
Affected products
16- cpe:2.3:a:erik_michaels-ober:multi_xml:0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:grape_project:grape:0.1.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:grape_project:grape:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:grape_project:grape:0.2.5:*:*:*:*:*:*:*
- ghsa-coords3 versionspkg:gem/multi_xmlpkg:rpm/opensuse/ruby3.2-rubygem-multi_xml&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-multi_xml&distro=openSUSE%20Tumbleweed
< 0.5.2+ 2 more
- (no CPE)range: < 0.5.2
- (no CPE)range: < 0.6.0-1.23
- (no CPE)range: < 0.6.0-1.27
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-pchc-949f-53m5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-0175ghsaADVISORY
- github.com/sferik/multi_xml/commit/c94b136d06822514fc2e99dc851e6c4eeb4c8bdfghsaWEB
- github.com/sferik/multi_xml/pull/34nvdWEB
- groups.google.com/forum/ghsaWEB
- news.ycombinator.com/itemnvdWEB
- www.openwall.com/lists/oss-security/2013/01/11/9ghsaWEB
- www.openwall.com/lists/oss-security/2013/01/11/9nvd
- gist.github.com/nate/d7f6d9f4925f413621aanvd
- groups.google.com/forum/nvd
News mentions
0No linked articles in our index yet.