---
url: http://direct.osvdb.org/show/osvdb/90073
title: |
  Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
  Code Execution 

description: |
  Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.
  The issue is triggered when the system is configured to allow users to
  directly provide values to be serialized and deserialized using YAML.
  With a specially crafted YAML attribute, a remote attacker can deserialize
  arbitrary YAML and execute code associated with it.

cvss_v2: 10.0

patched_versions:
  - ~> 2.3.17
  - ">= 3.1.0"