CVE-2013-0156

EXPLOITED

Ruby on Rails JSON Processor YAML Deserialization Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2013-0156 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 15 public exploits from researchers including Metasploit, bsodmike, heroku, including a Metasploit module exploits/multi/http/rails_json_yaml_code_exec.

AI-analyzed exploit summary This exploit leverages a known secret token in Ruby on Rails applications to achieve remote code execution via deserialization of a crafted Ruby object in session cookies. It supports both Rails 3 and Rails 4 by generating signed or encrypted cookies containing malicious payloads.

Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Exploits (15)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/27527

This exploit leverages a known secret token in Ruby on Rails applications to achieve remote code execution via deserialization of a crafted Ruby object in session cookies. It supports both Rails 3 and Rails 4 by generating signed or encrypted cookies containing malicious payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails 3.x and 4.x
No auth needed
Prerequisites: Knowledge of the application's secret_token (Rails 3) or secret_key_base (Rails 4) · Target Rails version (3 or 4) · Valid session cookie name and salts for Rails 4
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/24019

This Metasploit module exploits CVE-2013-0156, a YAML deserialization vulnerability in Ruby on Rails, allowing remote code execution via crafted XML requests. It targets both Rails 2.x and 3.x by embedding malicious YAML payloads in XML data.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails 2.x and 3.x
No auth needed
Prerequisites: Vulnerable Ruby on Rails application exposed via HTTP
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by bsodmike · poc
https://github.com/bsodmike/rails-exploit-cve-2013-0156

This repository demonstrates CVE-2013-0156, a Ruby on Rails XML parameter parsing vulnerability leading to remote code execution. The exploit leverages unsafe YAML deserialization in Rails' parameter parsing to execute arbitrary code.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails < 3.2.11, < 3.1.10, < 3.0.19, < 2.3.15
No auth needed
Prerequisites: Target application must be running a vulnerable version of Rails · Target must have XML parameter parsing enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by heroku · dos
https://github.com/heroku/heroku-CVE-2013-0156

This repository contains a Ruby script that scans Heroku applications for vulnerable Rails versions affected by CVE-2013-0156. It checks the installed Rails version against a list of patched versions and flags applications that are potentially vulnerable.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails (versions before 3.2.11, 3.1.10, 3.0.19, 2.3.15)
Auth required
Prerequisites: Heroku CLI installed · Authenticated Heroku session · Access to list Heroku applications
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by 7s26simon · remote
https://github.com/7s26simon/CVE-2013-0156

This is a functional exploit for CVE-2013-0156, a YAML deserialization vulnerability in Ruby on Rails. It leverages unsafe object deserialization to achieve remote code execution (RCE) by crafting malicious YAML payloads sent via HTTP POST requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails (versions affected by CVE-2013-0156)
No auth needed
Prerequisites: Target must be running a vulnerable version of Ruby on Rails · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by oxben10 · remote
https://github.com/oxben10/CVE-2013-0156

This is a Python-based exploit for CVE-2013-0156, targeting a YAML deserialization vulnerability in Ruby on Rails (2.x and 3.x) to achieve remote code execution (RCE). The script crafts a malicious YAML payload embedded in XML and sends it to the target URL, leveraging insecure deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails 2.x and 3.x
No auth needed
Prerequisites: Vulnerable Ruby on Rails application (2.x or 3.x) · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Jjdt12 · remote
https://github.com/Jjdt12/kuang_grade_mk11

This PoC exploits CVE-2013-0156, a Ruby on Rails YAML deserialization vulnerability, to achieve remote command execution. It encodes commands in base64, sends them via a crafted XML/YAML payload, and retrieves output from attacker-controlled logs.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails (versions affected by CVE-2013-0156)
No auth needed
Prerequisites: Vulnerable Ruby on Rails application · Attacker-controlled server to receive logs · Access to target server's web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by R3dKn33-zz · dos
https://github.com/R3dKn33-zz/CVE-2013-0156

This PoC exploits a Ruby on Rails YAML deserialization vulnerability (CVE-2013-0156) to achieve remote code execution. It crafts a malicious YAML payload embedded in XML, which triggers arbitrary command execution when processed by a vulnerable Rails application.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails < 3.2.12, < 3.1.11, < 3.0.19, < 2.3.15
No auth needed
Prerequisites: Vulnerable Ruby on Rails application exposed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by josal · poc
https://github.com/josal/crack-0.1.8-fixed

This repository contains a proof-of-concept exploit for CVE-2013-0156, which involves a vulnerability in the Ruby JSON gem. The exploit leverages the unsafe use of YAML.load in the Crack library to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ruby JSON gem (via Crack library)
No auth needed
Prerequisites: Target system must be using the vulnerable version of the Crack library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by terracatta · poc
https://github.com/terracatta/name_reverser

This repository demonstrates CVE-2013-0156, a Ruby on Rails JSON parameter parsing vulnerability. The `PagesController` exposes a `reverse` action that processes user input via `params[:name].reverse!`, which can be exploited to achieve remote code execution due to unsafe parameter parsing in Rails.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails < 3.2.12, < 3.1.11, < 3.0.19
No auth needed
Prerequisites: A vulnerable Ruby on Rails application with exposed JSON parameter parsing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jjarmoc, egypt, lian · rubypocruby
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_json_yaml_code_exec.rb

This Metasploit module exploits a YAML deserialization vulnerability in Ruby on Rails (CVE-2013-0333) by embedding malicious YAML in JSON requests, leading to remote code execution. It supports Rails 2.x and 3.x by crafting payloads that trigger arbitrary Ruby code execution via the `eval` function.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails 2.x, 3.x
No auth needed
Prerequisites: Target running Ruby on Rails with vulnerable JSON/YAML processing · Network access to the target application
devstral-2 · analyzed Jun 05, 2026 Full analysis →
metasploit SCANNER
by jjarmoc, hdm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb

This Metasploit module scans for Ruby on Rails instances vulnerable to CVE-2013-0156 by sending crafted JSON/YAML payloads and analyzing response codes to detect deserialization flaws.

Classification
Scanner 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails (versions affected by CVE-2013-0156)
No auth needed
Prerequisites: Network access to the target Rails application · Valid target URI and HTTP method
devstral-2 · analyzed Jun 05, 2026 Full analysis →
metasploit SCANNER
by hdm, jjarmoc · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb

This Metasploit auxiliary module scans for Ruby on Rails instances vulnerable to CVE-2013-0156, a YAML deserialization flaw in the XML processor. It sends XML probes with YAML payloads to detect differential responses indicating vulnerability.

Classification
Scanner 95%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: Ruby on Rails (versions affected by CVE-2013-0156)
No auth needed
Prerequisites: Network access to the target Rails application · XML/YAML processing endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocruby
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb

This Metasploit module exploits a known secret session cookie vulnerability in Ruby on Rails (CVE-2013-0156) to achieve remote code execution via deserialization of a crafted Ruby object. It supports Rails 3 and 4 by leveraging the application's secret token or key base to sign malicious session cookies.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails 3.x and 4.x
No auth needed
Prerequisites: Knowledge of the target's secret_token (Rails 3) or secret_key_base (Rails 4) · Access to a vulnerable Rails application endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by charliesome, espes, lian, hdm · rubypocruby
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

This Metasploit module exploits CVE-2013-0156, a YAML deserialization vulnerability in Ruby on Rails (RoR) 2.x and 3.x, allowing remote code execution via crafted XML requests containing malicious YAML payloads. The exploit leverages the `eval` function to execute arbitrary Ruby code in the context of the target application.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruby on Rails 2.x and 3.x
No auth needed
Prerequisites: Target running Ruby on Rails 2.x or 3.x with XML request processing enabled · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory x_refsource_misc
http://www.insinuator.net/2013/01/rails-yaml/
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0155.html
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/628463
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/380039
Mailing List, Third Party Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2604
Third Party Advisory, US Government Resource x_refsource_misc
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0154.html
Third Party Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2013-0156
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0153.html

Scores

EPSS 0.9191
EPSS Percentile 99.7%

Details

VulnCheck KEV 2013-05-28
CWE
CWE-20
Status published
Products (5)
debian/debian_linux 6.0
debian/debian_linux 7.0
rubygems/actionpack 0 - 2.3.15RubyGems
rubyonrails/rails 3.2.0 - 3.2.11
rubyonrails/ruby_on_rails < 2.3.15
Published Jan 13, 2013
Tracked Since Feb 18, 2026