CVE-2019-13146
Description
The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-13146 is an input validation vulnerability in Ruby's field_test gem <=0.3.0 that can lead to SQL injection or XSS if applications treat arbitrary variants as trusted.
The field_test gem version 0.3.0 for Ruby's A/B testing framework lacks input validation, allowing a method call that should return a predefined variant to return an arbitrary string [1][2]. This occurs because the gem does not sanitize user-supplied variant parameters before returning them [3].
An attacker can exploit this by manipulating the variant parameter (e.g., via query strings like ?field_test[button_color]=malicious) [2]. If the application trusts the returned value and uses it in SQL queries or HTML rendering without escaping, it becomes vulnerable [1][4].
The impact includes SQL injection and cross-site scripting (XSS), as the unvalidated variant can be crafted to execute malicious SQL or script [1][4]. The severity depends on how the application processes the variant.
The vulnerability is fixed in field_test version 0.3.1 [4]. Users should upgrade immediately to mitigate the risk.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
field_testRubyGems | >= 0.3.0, < 0.3.1 | 0.3.1 |
Affected products
2- field_test/field_testdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-wg9m-gw3h-hg83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-13146ghsaADVISORY
- www.securityfocus.com/bid/109114mitrevdb-entryx_refsource_BID
- github.com/ankane/field_test/issues/17ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/field_test/CVE-2019-13146.ymlghsaWEB
- rubygems.org/gems/field_testmitrex_refsource_MISC
- web.archive.org/web/20210115194802/http://www.securityfocus.com/bid/109114ghsaWEB
News mentions
0No linked articles in our index yet.