It has the same vulnerability if you pass untrusted input to it, okay.
But the point of the Rails vulnerabilty is that every Rails app, by default, was set up to accept external user input and run it through an XML parser. Even if you didn't realize it.
If you are using MultiXml, you may or may not be passing untrusted user input to it, depends on what you did with it.
And, really, technically, it was ActiveSupport that had this vulnerability. Even outside of Rails, had you used Hash.from_xml on untrusted user input you would have run into exactly the same issues.
Harder to exploit, perhaps, but given the large number of Rails apps that themselves are likely to be unpatched right now, pivoting to RCE on every customer of a SaaS provider seems like a very viable attack vector. Strongly recommend that everybody look at this seriously.
When I implemented this functionality, it was only to be compatible with the Rails parser.
> Actually paperclip doesn't rely on HTTParty
Correction: Although this might not have much to do with multi_xml if that security risk isn't mitigated.
It will prevent YAML.rb from instantiating arbitrary objects, which will close off this entire class of problems.
Obviously, if you do use YAML as a serialization format for arbitrary objects, this won't work, but odds are you aren't doing that.
I commented here:
irb(main):001:0> require 'yaml'