Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-v5s7-ydvk-p3fy
Vulnerability ID VCID-v5s7-ydvk-p3fy
Aliases CVE-2013-0269
GHSA-x457-cw4h-hq5f
OSV-101137
Summary JSON gem has Improper Input Validation vulnerability The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-502 Deserialization of Untrusted Data
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual HIGH http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-0686.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-0701.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1028.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-1147.html
epss 0.15424 https://api.first.org/data/v1/epss?cve=CVE-2013-0269
generic_textual HIGH https://exchange.xforce.ibmcloud.com/vulnerabilities/82010
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-x457-cw4h-hq5f
generic_textual HIGH https://github.com/flori/json
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml
generic_textual HIGH https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2013-0269
generic_textual HIGH https://web.archive.org/web/20130228082541/http://www.securityfocus.com/bid/57899
generic_textual HIGH https://web.archive.org/web/20160331131233/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
generic_textual HIGH https://web.archive.org/web/20160808163226/https://puppet.com/security/cve/cve-2013-0269
generic_textual HIGH http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released
generic_textual HIGH http://www.openwall.com/lists/oss-security/2013/02/11/7
generic_textual HIGH http://www.openwall.com/lists/oss-security/2013/02/11/8
generic_textual HIGH http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862
generic_textual HIGH http://www.ubuntu.com/usn/USN-1733-1
generic_textual HIGH http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection
Reference id Reference type URL
http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html
http://rhn.redhat.com/errata/RHSA-2013-0686.html
http://rhn.redhat.com/errata/RHSA-2013-0701.html
http://rhn.redhat.com/errata/RHSA-2013-1028.html
http://rhn.redhat.com/errata/RHSA-2013-1147.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0269.json
https://api.first.org/data/v1/epss?cve=CVE-2013-0269
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269
https://exchange.xforce.ibmcloud.com/vulnerabilities/82010
https://github.com/flori/json
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain
https://nvd.nist.gov/vuln/detail/CVE-2013-0269
https://web.archive.org/web/20130228082541/http://www.securityfocus.com/bid/57899
https://web.archive.org/web/20160331131233/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
https://web.archive.org/web/20160808163226/https://puppet.com/security/cve/cve-2013-0269
http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released
http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
http://www.openwall.com/lists/oss-security/2013/02/11/7
http://www.openwall.com/lists/oss-security/2013/02/11/8
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862
http://www.ubuntu.com/usn/USN-1733-1
http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection
700436 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700436
909029 https://bugzilla.redhat.com/show_bug.cgi?id=909029
GHSA-x457-cw4h-hq5f https://github.com/advisories/GHSA-x457-cw4h-hq5f
GLSA-201412-27 https://security.gentoo.org/glsa/201412-27
RHSA-2013:0686 https://access.redhat.com/errata/RHSA-2013:0686
RHSA-2013:0701 https://access.redhat.com/errata/RHSA-2013:0701
RHSA-2013:1028 https://access.redhat.com/errata/RHSA-2013:1028
RHSA-2013:1147 https://access.redhat.com/errata/RHSA-2013:1147
RHSA-2013:1185 https://access.redhat.com/errata/RHSA-2013:1185
USN-1733-1 https://usn.ubuntu.com/1733-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.94762
EPSS Score 0.15424
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:16.946572+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-x457-cw4h-hq5f/GHSA-x457-cw4h-hq5f.json 38.6.0