Impact
The vulnerability is a heap use‑after‑free in Oj’s Doc iterators. When a Ruby block yields during iteration and calls doc.close or d.close, the iterator’s C code continues to run after the document’s memory has been freed. The freed memory is then accessed by the iterator, exposing a use‑after‑free that can be triggered from pure Ruby code. The flaw could cause a program crash or, depending on the memory contents, could allow an attacker to execute arbitrary code within the Ruby process.
Affected Systems
Vendor: ohler55. Product: the Oj Ruby gem. Versions older than 3.17.2 are affected. Applications that load JSON with the affected gem and iterate over it with each_value, each_child or each_leaf are vulnerable.
Risk and Exploitability
The CVSS score of 2.1 indicates low severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires the attacker to supply Ruby code that invokes close during iterator execution, so the attack surface is limited to applications that use the affected gem and process untrusted or user‑supplied JSON. Exploitation would typically need control over the Ruby environment, which is often restricted, making the overall risk and likelihood of exploitation low, though the vulnerability remains present until the gem is updated.
OpenCVE Enrichment
Github GHSA