CVE-2013-1802
Description
The extlib gem before 0.9.16 allows object injection via unsafe YAML or Symbol type conversion, enabling arbitrary code execution or denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The extlib gem before 0.9.16 allows object injection via unsafe YAML or Symbol type conversion, enabling arbitrary code execution or denial of service.
Vulnerability
The extlib gem versions 0.9.15 and earlier for Ruby does not properly restrict casts of string values. This flaw is related to YAML parameter parsing and Symbol type conversion, similar to CVE-2013-0156. The affected versions are extlib <= 0.9.15, with the fix released in version 0.9.16 [1], [3]. The vulnerability arises when Action Pack support is leveraged for type conversion, allowing untrusted input to be processed in an unsafe manner.
Exploitation
An attacker can conduct object-injection attacks by sending crafted YAML or Symbol data to an application that uses the extlib gem. No special network position is required beyond normal access to the application's input vectors. The attack relies on the application processing untrusted data via the vulnerable type conversion code. The specific steps involve providing malicious YAML or Symbol strings that, when deserialized, lead to arbitrary object instantiation.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server or cause a denial of service through excessive memory and CPU consumption. The attack can lead to full compromise of the confidentiality, integrity, and availability of the affected system [1].
Mitigation
The fix was released in extlib version 0.9.16, which is available on RubyGems [3]. Users should update the gem using bundle update extlib and ensure their Gemfile.lock references version 0.9.16 or later [3]. No workarounds are documented if the gem cannot be updated. The vulnerability is not known to be in the CISA KEV catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
extlibRubyGems | < 0.9.16 | 0.9.16 |
Affected products
15cpe:2.3:a:dan_kubb:extlib:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:dan_kubb:extlib:*:*:*:*:*:*:*:*range: <=0.9.15
- cpe:2.3:a:dan_kubb:extlib:0.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.13:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.14:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:dan_kubb:extlib:0.9.9:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5nvdExploitPatchWEB
- github.com/advisories/GHSA-9h36-4jf2-hx53ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-1802ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2013-04/msg00002.htmlnvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/extlib/CVE-2013-1802.ymlghsaWEB
- web.archive.org/web/20130203232028/https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediatelyghsaWEB
- support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediatelynvd
News mentions
0No linked articles in our index yet.