Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap use‑after‑free in the Oj JSON parser, triggered when a SAJ or SAJ2 callback mutates the JSON string while parsing. The Ruby engine stores a raw readonly byte pointer to the string buffer; if a callback such as hash_start resizes the string, Ruby reallocates the buffer and frees the old memory, leaving the parser’s pointer dangling. The next character read by the C parser causes a use‑after‑free that can corrupt memory and potentially crash the process or allow further exploitation.

Affected Systems

The issue affects the Ruby gem ohler55:oj in all releases prior to version 3.17.2. Any application that parses JSON with Oj using SAJ/SAJ2 callbacks is susceptible. The fix is available in oj 3.17.2 and later.

Risk and Exploitability

The CVSS score is 2.1, indicating low severity, and the vulnerability is not listed in CISA KEV. Exploitation requires a user‑supplied JSON that invokes a mutating callback, so it is primarily a local or application‑level risk. With no EPSS data the exploitation probability remains uncertain but is expected to be low. There is no known public exploit reported.

Generated by OpenCVE AI on July 1, 2026 at 03:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oj gem to version 3.17.2 or later.
  • Audit and remove or sanitize any SAJ callbacks that mutate the input JSON during parsing.
  • If an upgrade cannot be applied immediately, restrict or validate input JSON from untrusted sources and disable callbacks that alter the JSON buffer.

Generated by OpenCVE AI on July 1, 2026 at 03:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2gm-54r6-8fwm Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation
History

Tue, 30 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.
Title Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:24:23.707Z

Reserved: 2026-06-16T13:49:33.555Z

Link: CVE-2026-54898

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:15:15Z

Weaknesses