CVE-2013-0269

JSON gem < 1.5.5, 1.6.x < 1.6.8, 1.7.x < 1.7.7 - DoS and Mass Assignment Bypass via Crafted JSON

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-0269. PoCs published by heroku.

AI-analyzed exploit summary This repository contains a Ruby script to scan Heroku applications for vulnerable versions of the JSON gem (CVE-2013-0269). It checks installed JSON versions against known vulnerable ranges and reports affected apps.

Description

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

Exploits (1)

nomisec SCANNER 2 stars
by heroku · poc
https://github.com/heroku/heroku-CVE-2013-0269

This repository contains a Ruby script to scan Heroku applications for vulnerable versions of the JSON gem (CVE-2013-0269). It checks installed JSON versions against known vulnerable ranges and reports affected apps.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ruby JSON gem (versions <= 1.5.4, 1.6.0-1.6.7, 1.7.0-1.7.6)
Auth required
Prerequisites: Heroku CLI access · Valid Heroku credentials · Ruby environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (23)

Core 23
Core References
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0701.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1028.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1147.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/52774
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/90074
Various Sources x_refsource_confirm
https://puppet.com/security/cve/cve-2013-0269
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/52902
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0686.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/57899
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/02/11/7
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/02/11/8
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1733-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/82010
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/52075

Scores

EPSS 0.1732
EPSS Percentile 95.2%

Details

CWE
CWE-20
Status published
Products (21)
rubygems/json 0 - 1.5.5RubyGems
rubygems/json_gem 1.5.0
rubygems/json_gem 1.5.1
rubygems/json_gem 1.5.2
rubygems/json_gem 1.5.3
rubygems/json_gem 1.5.4
rubygems/json_gem 1.6.0
rubygems/json_gem 1.6.1
rubygems/json_gem 1.6.2
rubygems/json_gem 1.6.3
... and 11 more
Published Feb 13, 2013
Tracked Since Feb 18, 2026