[jmileham]

If you're consuming even one third-party XML API using multi_xml, that means you're open to RCE if that API provider is malicious or itself compromised, as well as man in the middle attacks if you're not consuming the API via SSL.

Harder to exploit, perhaps, but given the large number of Rails apps that themselves are likely to be unpatched right now, pivoting to RCE on every customer of a SaaS provider seems like a very viable attack vector. Strongly recommend that everybody look at this seriously.