cbcvebase.
CVE-2013-5036
published 2014-05-27

CVE-2013-5036: The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2)…

PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
46.18%
98.7th percentile
The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2) sourcemap parameter to the sourcemap function in app/controllers/api/v1_controller.rb.

Detection & IOCsextracted from sources · hover to see the quote

url/api/1.0/deobfuscation
command--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'<rand>;eval(%[<base64_payload>].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}
pathapp/controllers/api/v1_controller.rb
  • Detect POST requests to /api/1.0/deobfuscation with a JSON body containing a 'namespace' key holding a base64+zlib-compressed YAML payload; HTTP 422 response to a probe of this endpoint indicates potential vulnerability.
  • Look for YAML deserialization gadget strings in POST body parameters: '!ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection' and '!ruby/object:OpenStruct' are hallmarks of this exploit's payload.
  • The exploit encodes the YAML payload as base64(zlib-deflate) and embeds it in the 'namespace' JSON field; monitor for unusually large or high-entropy base64 strings in the 'namespace' or 'sourcemap' parameters of API requests to Squash.
  • The attack targets both the 'namespace' parameter (deobfuscation endpoint) and the 'sourcemap' parameter (sourcemap endpoint) in the Squash API controller; monitor POST requests to both /api/1.0/deobfuscation and the sourcemap equivalent.
  • ·The exploit uses a hardcoded but arbitrary api_key value of '1'; real deployments may require a valid API key, meaning unauthenticated exploitation depends on the target's API key validation being absent or bypassable.
  • ·The payload architecture is Ruby (ARCH_RUBY), meaning the injected code executes within the Ruby/Rails process context; detection and containment should account for Ruby eval-based execution rather than OS-level shell spawning.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.