CVE-2013-4164

Exp

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.

Published: 2013-11-23 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2013-4164 is rated High Exploit Risk (81.6/100): CVSS Medium severity, with high exploitation likelihood (EPSS 34.97%, 98th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +23.01% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2013-4164

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2013-4164

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 11.96% 34.97% +23.01%
2 2026-03-04 22.56% 11.96% -10.60%
3 2026-03-01 22.56%

Full EPSS history (48 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-4164

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
8.6 6.4 [email protected]

Weakness enumeration for CVE-2013-4164

OS Trackers for CVE-2013-4164

vendor priority summary link
gentoo normal CVE-2013-4164: 1 GLSA(s) (201412-27), 1 atom(s) (dev-lang/ruby); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-4164
redhat critical https://access.redhat.com/security/cve/CVE-2013-4164
ubuntu medium CVE-2013-4164 medium priority: Ubuntu including 4 source packages (ruby1.8, ruby1.9, ruby1.9.1, ruby2.0), 28 status rows across 7 suites (lucid, precise, quantal, raring, saucy, trusty, upstream): released 12, DNE 10, ignored 4, needs-triage 2. https://ubuntu.com/security/CVE-2013-4164

Affected software / configurations for CVE-2013-4164

Vendor Product Version Raw CPE
ruby-lang ruby 1.8 cpe:2.3:a:ruby-lang:ruby:1.8:*:*:*:*:*:*:*
ruby-lang ruby 1.9 cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*
ruby-lang ruby 1.9.1 cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*
ruby-lang ruby 1.9.2 cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*
ruby-lang ruby 1.9.3 cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
ruby-lang ruby 2.0.0 cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*
ruby-lang ruby 2.1 cpe:2.3:a:ruby-lang:ruby:2.1:preview1:*:*:*:*:*:*

References for CVE-2013-4164

URL Tags
http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00009.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
http://osvdb.org/100113
http://rhn.redhat.com/errata/RHSA-2013-1763.html
http://rhn.redhat.com/errata/RHSA-2013-1764.html
http://rhn.redhat.com/errata/RHSA-2013-1767.html
http://rhn.redhat.com/errata/RHSA-2014-0011.html
http://rhn.redhat.com/errata/RHSA-2014-0215.html
http://secunia.com/advisories/55787 Vendor Advisory
http://secunia.com/advisories/57376
http://www.debian.org/security/2013/dsa-2809
http://www.debian.org/security/2013/dsa-2810
http://www.securityfocus.com/bid/63873
http://www.ubuntu.com/usn/USN-2035-1
https://puppet.com/security/cve/cve-2013-4164
https://support.apple.com/kb/HT6536
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164 Exploit
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released Patch
cvelogic Threat Intelligence