There is a symbol DoS vulnerability in Active Record. This vulnerability has been assigned the CVE identifier CVE-2013-1854.
Versions Affected: 3.2.x, 3.1.x, 2.3.x
Not affected: 3.0.x
Fixed Versions: 3.2.13, 3.1.12, 2.3.18
[...]
Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols.