VYPR
← All advisories
High severityNVD Advisory· Published Apr 9, 2013· Updated Apr 29, 2026

CVE-2013-1801

CVE-2013-1801

Description

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
httpartyRubyGems
< 0.10.00.10.0

Affected products

46
  • Jnunemaker/Httparty46 versions
    cpe:2.3:a:jnunemaker:httparty:*:*:*:*:*:*:*:*+ 45 more
    • cpe:2.3:a:jnunemaker:httparty:*:*:*:*:*:*:*:*range: <=0.9.0
    • cpe:2.3:a:jnunemaker:httparty:0.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.9:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jnunemaker:httparty:0.8.3:*:*:*:*:*:*:*

Patches

1
53a812426dd3

Remove yaml due to possible security risk.

https://github.com/jnunemaker/httpartyJohn NunemakerJan 10, 2013via ghsa
commit
6 files changed · +7 25
  • examples/custom_parsers.rb+1 1 modified
    @@ -1,7 +1,7 @@
 class ParseAtom
   include HTTParty
 
-  # Support Atom along with the default parsers: xml, json, yaml, etc.
+  # Support Atom along with the default parsers: xml, json, etc.
   class Parser::Atom < HTTParty::Parser
     SupportedFormats.merge!({"application/atom+xml" => :atom})
  • History+4 0 modified
    @@ -1,3 +1,7 @@
+== 0.10.0 2013-01-10
+* changes
+  * removed yaml support because of security risk (see rails yaml issues)
+
 == 0.9.0 2012-09-07
 * new
   * [support for connection adapters](https://github.com/jnunemaker/httparty/pull/157)
  • lib/httparty/parser.rb+1 7 modified
    @@ -1,5 +1,5 @@
 module HTTParty
-  # The default parser used by HTTParty, supports xml, json, html, yaml, and
+  # The default parser used by HTTParty, supports xml, json, html, and
   # plain text.
   #
   # == Custom Parsers
@@ -45,8 +45,6 @@ class Parser
       'application/javascript' => :json,
       'text/javascript'        => :json,
       'text/html'              => :html,
-      'application/x-yaml'     => :yaml,
-      'text/yaml'              => :yaml,
       'text/plain'             => :plain
     }
 
@@ -120,10 +118,6 @@ def json
       end
     end
 
-    def yaml
-      YAML.load(body)
-    end
-
     def html
       body
     end
  • spec/httparty/parser_spec.rb+0 5 modified
    @@ -155,11 +155,6 @@ def self.name; 'AtomParser'; end
       subject.send(:json)
     end
 
-    it "parses yaml" do
-      YAML.should_receive(:load).with('body')
-      subject.send(:yaml)
-    end
-
     it "parses html by simply returning the body" do
       subject.send(:html).should == 'body'
     end
  • spec/httparty/request_spec.rb+0 6 modified
    @@ -225,12 +225,6 @@
       @request.send(:parse_response, json).should == {'books' => {'book' => {'id' => '1234', 'name' => 'Foo Bar!'}}}
     end
 
-    it 'should handle yaml automatically' do
-      yaml = "books: \n  book: \n    name: Foo Bar!\n    id: \"1234\"\n"
-      @request.options[:format] = :yaml
-      @request.send(:parse_response, yaml).should == {'books' => {'book' => {'id' => '1234', 'name' => 'Foo Bar!'}}}
-    end
-
     it "should include any HTTP headers in the returned response" do
       @request.options[:format] = :html
       response = stub_response "Content"
  • spec/httparty_spec.rb+1 6 modified
    @@ -384,11 +384,6 @@ class MyParser < HTTParty::Parser
       @klass.default_options[:format].should == :json
     end
 
-    it "should allow yaml" do
-      @klass.format :yaml
-      @klass.default_options[:format].should == :yaml
-    end
-
     it "should allow plain" do
       @klass.format :plain
       @klass.default_options[:format].should == :plain
@@ -403,7 +398,7 @@ class MyParser < HTTParty::Parser
     it 'should only print each format once with an exception' do
       lambda do
         @klass.format :foobar
-      end.should raise_error(HTTParty::UnsupportedFormat, "':foobar' Must be one of: html, json, plain, xml, yaml")
+      end.should raise_error(HTTParty::UnsupportedFormat, "':foobar' Must be one of: html, json, plain, xml")
     end
 
     it 'sets the default parser' do

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.