{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27788", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-06T18:06:54.461Z", "datePublished": "2025-03-12T13:51:53.348Z", "dateUpdated": "2025-03-12T14:04:35.186Z"}, "containers": {"cna": {"title": "Ruby JSON Parser has Out-of-bounds Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44"}, {"name": "https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf", "tags": ["x_refsource_MISC"], "url": "https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf"}, {"name": "https://github.com/ruby/json/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ruby/json/releases/tag/v2.10.2"}], "affected": [{"vendor": "ruby", "product": "json", "versions": [{"version": ">= 2.10.0, < 2.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-12T13:51:53.348Z"}, "descriptions": [{"lang": "en", "value": "JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available."}], "source": {"advisory": "GHSA-9m3q-rhmv-5q44", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T14:04:18.145982Z", "id": "CVE-2025-27788", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T14:04:35.186Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27788", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T14:04:18.145982Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T14:04:23.186Z"}}], "cna": {"title": "Ruby JSON Parser has Out-of-bounds Read", "source": {"advisory": "GHSA-9m3q-rhmv-5q44", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ruby", "product": "json", "versions": [{"status": "affected", "version": ">= 2.10.0, < 2.10.2"}]}], "references": [{"url": "https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44", "name": "https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf", "name": "https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ruby/json/releases/tag/v2.10.2", "name": "https://github.com/ruby/json/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-12T13:51:53.348Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27788", "state": "PUBLISHED", "dateUpdated": "2025-03-12T14:04:35.186Z", "dateReserved": "2025-03-06T18:06:54.461Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-12T13:51:53.348Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:javascript_object_notation:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "51A03F9E-C16B-4045-B72A-68D238B1ECC4", "versionEndExcluding": "2.10.2", "versionStartIncluding": "2.10.0 ", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available."}, {"lang": "es", "value": "JSON es una implementaci\u00f3n de JSON para Ruby. A partir de la versi\u00f3n 2.10.0 y anteriores a la 2.10.2, un documento especialmente manipulado pod\u00eda provocar una lectura fuera de los l\u00edmites, lo que probablemente provocar\u00eda un bloqueo. Las versiones anteriores a la 2.10.0 no son vulnerables. La versi\u00f3n 2.10.2 soluciona el problema. No se conocen workarounds."}], "id": "CVE-2025-27788", "lastModified": "2025-04-02T12:35:54.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-12T14:15:16.770", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ruby/json/releases/tag/v2.10.2"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "json: Ruby JSON Parser has Out-of-bounds Read", "id": "2351856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351856"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available.", "A flaw was found in the JSON gem for Ruby. This vulnerability causes an out-of-bounds read via a specially crafted document, possibly resulting in a crash."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-27788", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "3scale-amp-zync-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "json", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2025-03-12T13:51:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27788\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27788\nhttps://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf\nhttps://github.com/ruby/json/releases/tag/v2.10.2\nhttps://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44"], "statement": "No Red Hat products are vulnerable to this CVE, as it does not affect the versions or configurations of the products used in its distributions.", "threat_severity": "Important"}