CVE-2013-0333

Ruby on Rails 2.3.x-2.3.15 and 3.0.x-3.0.19 - Remote Code Execution via YAML Deserialization

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2013-0333. PoCs published by Metasploit, heroku, jjarmoc, hdm, including Metasploit module auxiliary/scanner/http/rails_json_yaml_scanner.

AI-analyzed exploit summary This Metasploit module exploits a YAML deserialization vulnerability in Ruby on Rails (CVE-2013-0333) to achieve remote code execution by embedding malicious YAML in JSON requests. It targets Rails 2.x and 3.x by leveraging the `NamedRouteCollection` vector to execute arbitrary Ruby code.

Description

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/24434

View Code ZIP pw:eip

This Metasploit module exploits a YAML deserialization vulnerability in Ruby on Rails (CVE-2013-0333) to achieve remote code execution by embedding malicious YAML in JSON requests. It targets Rails 2.x and 3.x by leveraging the `NamedRouteCollection` vector to execute arbitrary Ruby code.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ruby on Rails 2.x and 3.x

No auth needed

Prerequisites: Target application running Ruby on Rails 2.x or 3.x with vulnerable JSON processor · Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 2 stars

by heroku · poc

https://github.com/heroku/heroku-CVE-2013-0333

View Code ZIP pw:eip

This repository contains a Ruby script to scan Heroku applications for vulnerable Rails versions affected by CVE-2013-0333. It checks installed Rails versions against known vulnerable ranges (2.3.0-2.3.15 and 3.0.0-3.0.19) and reports affected apps.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Ruby on Rails (versions 2.3.0-2.3.15, 3.0.0-3.0.19)

Auth required

Prerequisites: Heroku CLI access · Valid Heroku account with apps to scan

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit SCANNER

by jjarmoc, hdm · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb

View Code ZIP pw:eip

This Metasploit module scans for Ruby on Rails instances vulnerable to CVE-2013-0156 by sending JSON and YAML probes to detect deserialization flaws. It checks for inconsistent response codes to identify potential vulnerabilities.

Classification

Scanner 95%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Reliable

Target: Ruby on Rails (versions affected by CVE-2013-0156)

No auth needed

Prerequisites: Network access to the target Rails application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by jjarmoc, egypt, lian · rubypocruby

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_json_yaml_code_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a YAML deserialization vulnerability in Ruby on Rails (CVE-2013-0333) to achieve remote code execution. It crafts malicious YAML payloads embedded in JSON requests, targeting Rails 2.x and 3.x applications.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ruby on Rails 2.x, 3.x

No auth needed

Prerequisites: Target running Ruby on Rails 2.x or 3.x with vulnerable JSON processor · Network access to the target application

MITRE ATT&CK