Squash remote code execution vulnerability advisory


A security flaw in Square’s open source project “Squash” was fixed silently by the developers June 24th, which I happened to have stumbled upon but not disclosed at the time. But since I couldn’t find an advisory for it, here it goes. Metasploit module can be found below.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-5036 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.


The Squash API is intended for clients to submit details about exceptions and bugs. As a part of that, a YAML dump can be submitted. However before the patch, without supplying an API key, one could submit a YAML to the functions deobfuscation and sourcemap in app/controllers/api/v1_controller.rb.

Note that the YAML load is not specified as using the safe load, which means we can exploit this by sending a YAML payload.

Proof of concept

Metasploit module