Fowlduck

**Name of the Vulnerable Software and Affected Versions** multi xml gem version 0.5.2 Grape versions prior to 0.2.6 **Description** The issue allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service involving nested XML entity references. This can be achieved by leveraging support for YAML type conversion or Symbol type conversion. **Recommendations** For multi xml gem version 0.5.2, update to a version that properly restricts casts of string values. For Grape versions prior to 0.2.6, update to version 0.2.6 or later to mitigate the risk of object-injection attacks and denial of service. As a temporary workaround, consider disabling YAML type conversion and Symbol type conversion until a patch is available.