Impact
Oj (Optimized JSON) is a Ruby gem that parses JSON and produces Ruby objects. In versions prior to 3.17.3, the form_attr function in the intern.c source performs an uninitialized stack read when handling a JSON object key that is 254 bytes or longer. The function allocates a heap buffer, copies the key into it, but mistakenly passes an uninitialized stack buffer to rb_intern3(). As a result, rb_intern3 reads len + 1 bytes of uninitialized stack memory, and for keys of 256 bytes or more it also reads beyond the 256‑byte buffer. The data returned by rb_intern3 is interned as a Symbol or surfaced in an EncodingError message, providing an attacker with a copy of the process stack. The vulnerability is therefore a buffer read of uninitialized data that can disclose confidential information, aligning with CWE‑125 and CWE‑908.
Affected Systems
The affected product is the oj Ruby gem supplied by ohler55. All releases before version 3.17.3 are vulnerable. An application that loads json data with Oj.load in :object mode and accepts keys that can be 254 bytes or longer is impacted. The issue is mitigated in Oj 3.17.3 and later versions.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium severity vulnerability. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation at present. An attacker can supply a specially crafted JSON object containing long keys to trigger the uninitialized stack read. The material leaked is stack data, which could contain sensitive information. Because the bug is triggered during normal parsing of an input file, any platform or service that evaluates untrusted JSON via Oj.load in object mode is a potential target. While no remote code execution is possible from the current description, the ability to read stack memory elevates the risk for data exfiltration.
OpenCVE Enrichment
Github GHSA