Description
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Published: 2026-03-20
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Format string injection leading to denial of service or information disclosure
Action: Immediate Patch
AI Analysis

Impact

The Ruby JSON library contains a format string injection flaw that manifests when parsing user supplied JSON documents with the allow_duplicate_key option disabled. The vulnerability affects versions 2.14.0 up to but excluding 2.15.2.1, 2.17.1.2, and 2.19.2. Malicious format specifiers processed during parsing can corrupt the stack, cause a denial of service, or expose internal information, and the weakness is classified as CWE‑134.

Affected Systems

Vulnerable systems include any installations that rely on the Ruby JSON library in the affected ranges: 2.14.0 through prior to 2.15.2.1, prior to 2.17.1.2, and prior to 2.19.2. Any application that parses external JSON with the allow_duplicate_key option set to false in these releases is impacted.

Risk and Exploitability

The CVSS base score of 8.3 indicates high severity. An EPSS of less than 1 % suggests a low probability of exploitation at present, and the vulnerability is not present in CISA’s KEV catalog. Adversaries would need to supply a crafted JSON payload to a vulnerable parser that is configured with allow_duplicate_key disabled; successful exploitation can lead to application crashes or data leakage. Because a patch exists for the affected releases, the risk can be mitigated by updating the dependency.

Generated by OpenCVE AI on March 28, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ruby JSON library to at least 2.15.2.1, 2.17.1.2, or 2.19.2, or the latest stable release.
  • If upgrading is not immediately possible, avoid parsing untrusted JSON with allow_duplicate_key set to false, or validate and sanitize inputs prior to parsing.
  • Verify that no code paths enable the vulnerable option by auditing all JSON.parse calls in the codebase.
  • Monitor the application for signs of denial of service or unexpected crashes that could indicate exploitation.

Generated by OpenCVE AI on March 28, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3m6g-2423-7cp3 Ruby JSON has a format string injection vulnerability
History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang json
CPEs cpe:2.3:a:ruby-lang:json:*:*:*:*:*:ruby:*:*
Vendors & Products Ruby-lang
Ruby-lang json
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

threat_severity

Moderate

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ruby
Ruby json
Vendors & Products Ruby
Ruby json

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Title Ruby JSON has a format string injection vulnerability
Weaknesses CWE-134
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ruby Json
Ruby-lang Json
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T21:41:29.624Z

Reserved: 2026-03-17T23:23:58.313Z

Link: CVE-2026-33210

cve-icon Vulnrichment

Updated: 2026-03-23T21:01:59.265Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:46.010

Modified: 2026-03-27T21:25:30.160

Link: CVE-2026-33210

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T22:57:08Z

Links: CVE-2026-33210 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:51Z

Weaknesses