Impact
The vulnerability is a heap use‑after‑free in the Oj JSON parser, triggered when a SAJ or SAJ2 callback mutates the JSON string while parsing. The Ruby engine stores a raw readonly byte pointer to the string buffer; if a callback such as hash_start resizes the string, Ruby reallocates the buffer and frees the old memory, leaving the parser’s pointer dangling. The next character read by the C parser causes a use‑after‑free that can corrupt memory and potentially crash the process or allow further exploitation.
Affected Systems
The issue affects the Ruby gem ohler55:oj in all releases prior to version 3.17.2. Any application that parses JSON with Oj using SAJ/SAJ2 callbacks is susceptible. The fix is available in oj 3.17.2 and later.
Risk and Exploitability
The CVSS score is 2.1, indicating low severity, and the vulnerability is not listed in CISA KEV. Exploitation requires a user‑supplied JSON that invokes a mutating callback, so it is primarily a local or application‑level risk. With no EPSS data the exploitation probability remains uncertain but is expected to be low. There is no known public exploit reported.
OpenCVE Enrichment
Github GHSA