Platform
ruby
Component
multi_xml
Fixed in
0.5.2
CVE-2013-0175 is a critical object injection vulnerability discovered in the multixml Ruby gem. This flaw allows attackers to execute arbitrary code or trigger denial-of-service conditions by exploiting improper handling of string casts within XML parsing. The vulnerability impacts versions of multixml up to and including 0.5.1, and is particularly relevant to applications using Grape versions prior to 0.2.6 that utilize multi_xml.
The primary impact of CVE-2013-0175 is the potential for remote code execution (RCE). An attacker can craft malicious XML input that, when processed by the vulnerable multi_xml gem, leads to the execution of arbitrary commands on the server. This can result in complete system compromise, data theft, or further malicious activity. The vulnerability also presents a denial-of-service (DoS) risk, as nested XML entity references can be exploited to consume excessive memory and CPU resources, rendering the application unresponsive. The vulnerability's similarity to CVE-2013-0156 suggests a broader class of XML parsing vulnerabilities that should be reviewed.
CVE-2013-0175 was published on October 24, 2017. Public proof-of-concept exploits were not immediately available, but the vulnerability's similarity to CVE-2013-0156 raised concerns about potential exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's age and the availability of a patch suggest that active exploitation is unlikely, but the potential for exploitation remains if systems are still running vulnerable versions.
Exploit Status
EPSS
1.26% (79% percentile)
The definitive mitigation for CVE-2013-0175 is to upgrade the multi_xml gem to version 0.5.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to prevent the injection of malicious XML payloads. Specifically, restrict the types of data that can be cast and carefully validate XML input before processing. Web application firewalls (WAFs) configured to detect and block malicious XML payloads can provide an additional layer of defense. There are no specific Sigma or YARA rules readily available for this vulnerability, but generic XML parsing anomaly detection rules may be applicable.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2013-0175 is a HIGH severity vulnerability affecting the multi_xml Ruby gem, allowing remote attackers to execute code or cause denial of service through object injection by exploiting improper XML parsing.
You are affected if you are using multixml gem versions 0.5.1 or earlier, or if you are using Grape versions prior to 0.2.6 that rely on multixml.
Upgrade the multi_xml gem to version 0.5.2 or later. If upgrading is not possible, implement strict input validation and sanitization for XML data.
While active exploitation is unlikely due to the vulnerability's age and the availability of a patch, the potential for exploitation remains if systems are running vulnerable versions.
The official advisory can be found in the NVD database: https://nvd.nist.gov/vuln/detail/CVE-2013-0175
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.