diff --git a/CHANGELOG.markdown b/CHANGELOG.markdown
index 538d174d4..639b0654a 100644
--- a/CHANGELOG.markdown
+++ b/CHANGELOG.markdown
@@ -1,3 +1,7 @@
+0.2.1.1 (1/11/2013)
+====================
+* Fix: CVE-2013-0175, `multi_xml` parse vulnerability, require 'multi_xml' 0.5.2 - [@dblock](http://github.com/dblock).
+
 0.2.1 (7/11/2012)
 =================
 
diff --git a/grape.gemspec b/grape.gemspec
index 133f7cdba..4313f294c 100644
--- a/grape.gemspec
+++ b/grape.gemspec
@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'rack-mount'
   # s.add_runtime_dependency 'rack-jsonp'
   s.add_runtime_dependency 'multi_json'
-  s.add_runtime_dependency 'multi_xml'
+  s.add_runtime_dependency 'multi_xml', '>= 0.5.2'
   s.add_runtime_dependency 'hashie', '~> 1.2'
 
   s.add_development_dependency 'rake'
diff --git a/lib/grape/middleware/base.rb b/lib/grape/middleware/base.rb
index be7de3864..b9e61bd1d 100644
--- a/lib/grape/middleware/base.rb
+++ b/lib/grape/middleware/base.rb
@@ -70,6 +70,10 @@ def parsers
           PARSERS.merge(options[:parsers] || {})
         end
 
+        def content_type_for(format)
+          Hash.new(content_types)[format.to_sym]
+        end
+
         def content_types
           CONTENT_TYPES.merge(options[:content_types] || {})
         end
diff --git a/lib/grape/middleware/formatter.rb b/lib/grape/middleware/formatter.rb
index 03aeda166..50266c3b6 100644
--- a/lib/grape/middleware/formatter.rb
+++ b/lib/grape/middleware/formatter.rb
@@ -25,11 +25,23 @@ def before
             parser = parser_for fmt
             unless parser.nil?
               begin
-                body = parser.call(body)
-                env['rack.request.form_hash'] = !env['rack.request.form_hash'].nil? ? env['rack.request.form_hash'].merge(body) : body
-                env['rack.request.form_input'] = env['rack.input']
-              rescue
-                # It's possible that it's just regular POST content -- just back off
+                fmt = mime_types[request.media_type] if request.media_type
+                if content_type_for(fmt)
+                  parser = parser_for fmt
+                  unless parser.nil?
+                    begin
+                      body = parser.call body
+                      env['rack.request.form_hash'] = !env['rack.request.form_hash'].nil? ? env['rack.request.form_hash'].merge(body) : body
+                      env['rack.request.form_input'] = env['rack.input']
+                    rescue
+                      # It's possible that it's just regular POST content -- just back off
+                    end
+                  end
+                else
+                  throw :error, :status => 406, :message => 'The requested content-type is not supported.'
+                end
+              ensure
+                env['rack.input'].rewind
               end
             end
             env['rack.input'].rewind
diff --git a/lib/grape/version.rb b/lib/grape/version.rb
index 9b2a11076..98ba43a3b 100644
--- a/lib/grape/version.rb
+++ b/lib/grape/version.rb
@@ -1,3 +1,3 @@
 module Grape
-  VERSION = '0.2.1'
+  VERSION = '0.2.1.1'
 end
diff --git a/spec/grape/api_spec.rb b/spec/grape/api_spec.rb
index a7595cc4e..52e169bd8 100644
--- a/spec/grape/api_spec.rb
+++ b/spec/grape/api_spec.rb
@@ -766,7 +766,19 @@ def three
       last_response.status.should eql 403
     end
   end
+  
+  context "muti_xml" do
+    it "doesn't parse yaml" do
+      subject.put :yaml do
+        params[:tag]
+      end
 
+	    expect {
+        put '/yaml', '<tag type="symbol">a123</tag>', "CONTENT_TYPE" => "application/xml"
+      }.to raise_error(MultiXml::DisallowedTypeError)
+    end
+  end
+  
   context "routes" do
     describe "empty api structure" do
       it "returns an empty array of routes" do
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 80104abf4..4c5cdcade 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -23,6 +23,5 @@
 
 RSpec.configure do |config|
   config.include Rack::Test::Methods
-  config.include Rack::Test::Methods::Patch
 end
 
diff --git a/spec/support/rack_patch.rb b/spec/support/rack_patch.rb
deleted file mode 100644
index f78bc37cf..000000000
--- a/spec/support/rack_patch.rb
+++ /dev/null
@@ -1,25 +0,0 @@
-unless Rack::Test::Session.method_defined?(:patch)
-  module Rack
-    module Test
-      module Methods
-        module Patch
-          extend Forwardable
-          def_delegators :current_session, *[:patch]
-        end
-      end
-    end
-  end
-
-  module Rack
-    module Test
-      class Session
-        def patch(uri, params = {}, env = {}, &block)
-          env = env_for(uri, env.merge(:method => "PATCH", :params => params))
-          process_request(uri, env, &block)
-        end
-      end
-    end
-  end
-else
-  raise LoadError, "Remove spec/support/rack_patch.rb | rack-test #{Rack::Test::VERSION} has a method patch"
-end
\ No newline at end of file