Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the (size_t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process. This issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Oj (Optimized JSON) Ruby gem when Oj.dump receives an excessively large :indent value. The code in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the cast preserves the large value and memset writes 2 GB into the stack‑allocated out buffer (4,184 bytes). This overflow corrupts the stack and crashes the process. The primary outcome is a denial of service; there is no indication that this can lead to arbitrary code execution, consistent with CWE‑121.

Affected Systems

The defect is limited to the ohler55 Oj Ruby gem in versions prior to 3.17.2. Any Ruby application that includes this gem and invokes Oj.dump with a custom :indent value may be affected. From the description, applications that always use the default indentation or use a fixed small value are not vulnerable. The issue is resolved in releases 3.17.2 and later.

Risk and Exploitability

The CVSS score of 6.3 classifies the risk as moderate. EPSS is not available, so the real‑world exploitation probability is unknown, and the flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an application that accepts user input for the :indent parameter or exposes an API that forwards that value to Oj.dump. An attacker who can control the indent size could trigger a crash and cause a denial of service. No publicly documented exploit achieves arbitrary code execution.

Generated by OpenCVE AI on July 1, 2026 at 06:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Oj to version 3.17.2 or later
  • If updating is not immediately possible, enforce a maximum :indent value (e.g., 100) before calling Oj.dump to avoid overflows
  • Apply input validation to ensure :indent never exceeds the size of the internal buffer during marshalling

Generated by OpenCVE AI on July 1, 2026 at 06:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3v45-f3vh-wg7m Oj: Stack Buffer Overflow in Oj.dump via Large Indent
History

Tue, 30 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the (size_t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process. This issue has been fixed in version 3.17.2.
Title Oj: Stack Buffer Overflow in Oj.dump via Large Indent
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:10:27.623Z

Reserved: 2026-06-15T18:01:15.512Z

Link: CVE-2026-54502

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:15:15Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow