Platform
ruby
Component
json
Fixed in
1.5.5
CVE-2013-0269 is a denial of service and SQL injection vulnerability discovered in the Ruby JSON gem. Attackers can exploit this flaw by crafting malicious JSON documents that trigger the creation of arbitrary Ruby symbols or internal objects, potentially leading to resource exhaustion or SQL injection attacks. This vulnerability affects versions of the JSON gem prior to 1.5.5, as well as specific versions within the 1.6.x and 1.7.x branches. A fix is available in version 1.5.5.
The primary impact of CVE-2013-0269 is the potential for denial of service. A carefully crafted JSON document can cause the Ruby interpreter to consume excessive resources, leading to application instability or crashes. More critically, the vulnerability allows for SQL injection attacks, particularly within Ruby on Rails applications. By manipulating the JSON data, an attacker can inject malicious SQL queries, potentially gaining unauthorized access to sensitive data stored in the database. This could include user credentials, financial information, or other confidential data. The "Unsafe Object Creation Vulnerability" allows bypassing of mass assignment protections, further expanding the attack surface.
CVE-2013-0269 was publicly disclosed in 2017. While no active exploitation campaigns have been definitively linked to this specific CVE, the potential for SQL injection makes it a persistent concern, especially in older applications still using vulnerable versions of the JSON gem. The vulnerability's description explicitly references a SQL injection attack against Ruby on Rails, suggesting a potential exploitation pattern similar to other SQL injection vulnerabilities. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
17.32% (95% percentile)
The recommended mitigation for CVE-2013-0269 is to immediately upgrade the Ruby JSON gem to version 1.5.5 or later. If upgrading is not immediately feasible due to compatibility issues or application downtime concerns, consider implementing input validation and sanitization techniques to filter potentially malicious JSON data. Specifically, carefully scrutinize the structure and content of incoming JSON documents before processing them. While not a direct fix, implementing robust input validation can significantly reduce the risk of exploitation. After upgrading, confirm the fix by attempting to parse a known malicious JSON payload and verifying that it no longer triggers the vulnerability.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2013-0269 is a vulnerability in the Ruby JSON gem that allows attackers to cause denial of service or SQL injection via crafted JSON documents. It affects versions ≤1.5.4.
You are affected if your Ruby application uses the JSON gem version 1.5.4 or earlier, or specific versions within the 1.6.x and 1.7.x branches.
Upgrade the JSON gem to version 1.5.5 or later. Implement input validation and sanitization as a temporary workaround if immediate upgrade is not possible.
While no active campaigns have been definitively linked, the potential for SQL injection makes it a persistent concern, especially in older applications.
Refer to the Ruby Security Advisory for details: https://rubysec.com/advisories/CVE-2013-0269
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.