Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap buffer overflow in the Oj Ruby gem. When using Oj.dump in object mode to serialize Exception objects with a large :indent value, the serializer allocates a buffer sized for the object's attributes and fails to account for the indent bytes added on each write. With an :indent of 5,000, the repeated 5,000‑byte indent strings exceed the 13,150‑byte heap allocation, corrupting adjacent memory. This flaw, identified as CWE‑122, can lead to arbitrary memory corruption and is fixed in Oj version 3.17.2.

Affected Systems

Any deployment using the ohler55 oj gem prior to version 3.17.2 that employs Oj.dump in object mode for Exception objects with a sizable :indent argument. No additional vendor or product information is specified beyond the gem name and vulnerable version range.

Risk and Exploitability

The CVSS score of 2.1 classifies the issue as low severity. An exploit would need an actor to invoke Oj.dump with a crafted Exception object and an oversized :indent value, causing memory corruption that may crash the Ruby process. Because the vulnerability is limited to internal serialization logic, the immediate consequence is a local denial of service rather than remote code execution, and no public exploits have been reported. The EPSS is not available, and the flaw is not listed in CISA’s KEV catalog, indicating a relatively low likelihood of widespread exploitation at this time.

Generated by OpenCVE AI on July 1, 2026 at 03:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the oj gem to version 3.17.2 or later, which addresses the buffer overflow bug.
  • If upgrade is not immediately feasible, avoid serializing Exception objects with Oj.dump or limit the :indent parameter to a modest size (for example, less than 100).
  • Deploy the application with these mitigations in place and monitor for abnormal crashes or memory corruption that could signal residual or accidental exploitation.

Generated by OpenCVE AI on July 1, 2026 at 03:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-35w3-pjm6-wj95 Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent
History

Tue, 30 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.
Title Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:20:27.524Z

Reserved: 2026-06-16T13:49:33.555Z

Link: CVE-2026-54896

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:15:15Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow