Skip to content

Instantly share code, notes, and snippets.

Last active Oct 23, 2018
What would you like to do?


mysql-binuuid-rails is vulnerable to SQL injection: Model.where(uuid: "ff' OR ''='") turns into:

SELECT  `model`.* FROM `model` WHERE `model`.`uuid` = x'ff' OR ''='' LIMIT 11

Root cause

ActiveRecord does not explicitly escape the Binary data type (Type::Binary::Data) for mysql. The escaping is implicit as the Binary data type always converts it’s value to a hex string for ActiveRecord to use.

mysql-binuuid-rails uses a data type that is derived from the base Binary type, except, it doesn’t convert the value to hex. Instead, it assumes the string value provided is a valid hex string and doesn’t do any checks on it.

Vulnerable versions

mysql-binuuid-rails <= 1.1.0


The issue was worked on by Stan Pitucha, Geoff Evason, Emmanuel Joubaud from Envato


CVE-2018-18476 -

Fix -

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment