mysql-binuuid-rails is vulnerable to SQL injection:
Model.where(uuid: "ff' OR ''='") turns into:
SELECT `model`.* FROM `model` WHERE `model`.`uuid` = x'ff' OR ''='' LIMIT 11
ActiveRecord does not explicitly escape the Binary data type (
Type::Binary::Data) for mysql. The escaping is implicit as the
Binary data type always converts it’s value to a hex string for ActiveRecord to use.
mysql-binuuid-rails uses a data type that is derived from the base
Binary type, except, it doesn’t convert the value to hex. Instead, it assumes the string value provided is a valid hex string and doesn’t do any checks on it.
mysql-binuuid-rails <= 1.1.0
The issue was worked on by Stan Pitucha, Geoff Evason, Emmanuel Joubaud from Envato
CVE-2018-18476 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18476