Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, `b`, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. This issue has been fixed in version 3.17.3.
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oj (Optimized JSON) is a Ruby gem that parses JSON and produces Ruby objects. In versions prior to 3.17.3, the form_attr function in the intern.c source performs an uninitialized stack read when handling a JSON object key that is 254 bytes or longer. The function allocates a heap buffer, copies the key into it, but mistakenly passes an uninitialized stack buffer to rb_intern3(). As a result, rb_intern3 reads len + 1 bytes of uninitialized stack memory, and for keys of 256 bytes or more it also reads beyond the 256‑byte buffer. The data returned by rb_intern3 is interned as a Symbol or surfaced in an EncodingError message, providing an attacker with a copy of the process stack. The vulnerability is therefore a buffer read of uninitialized data that can disclose confidential information, aligning with CWE‑125 and CWE‑908.

Affected Systems

The affected product is the oj Ruby gem supplied by ohler55. All releases before version 3.17.3 are vulnerable. An application that loads json data with Oj.load in :object mode and accepts keys that can be 254 bytes or longer is impacted. The issue is mitigated in Oj 3.17.3 and later versions.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation at present. An attacker can supply a specially crafted JSON object containing long keys to trigger the uninitialized stack read. The material leaked is stack data, which could contain sensitive information. Because the bug is triggered during normal parsing of an input file, any platform or service that evaluates untrusted JSON via Oj.load in object mode is a potential target. While no remote code execution is possible from the current description, the ability to read stack memory elevates the risk for data exfiltration.

Generated by OpenCVE AI on July 1, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oj gem to a version that includes the fix (3.17.3 or newer).
  • If an immediate upgrade is not possible, avoid using :object mode with untrusted JSON payloads, or pre‑validate keys to be shorter than 256 characters before calling Oj.load.
  • If the application can switch to a different JSON parser that does not have this vulnerability, consider migrating to another safe parser or applying custom input sanitization.

Generated by OpenCVE AI on July 1, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fm7p-mprw-wjm9 Oj: intern.c form_attr (uninitialized stack read)
History

Tue, 30 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, `b`, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. This issue has been fixed in version 3.17.3.
Title Oj: intern.c form_attr has an uninitialized stack read
Weaknesses CWE-125
CWE-908
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:08:28.789Z

Reserved: 2026-06-15T18:01:15.511Z

Link: CVE-2026-54500

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T00:30:06Z

Weaknesses