Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free. This issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the Oj JSON library. When a developer disables the symbol_keys option on a parser that was previously used with symbol keys, the internal key cache is freed but its pointer is not cleared. A subsequent parse call then reads from this released memory, which can corrupt the process’s heap. The attacker could potentially read sensitive data or overwrite memory, leading to arbitrary code execution depending on the surrounding code.

Affected Systems

The affected software is the Ruby gem oj version 3.17.1 and earlier. The open‑source library is provided by ohler55 and is commonly used in Ruby applications that parse JSON.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. No exploit probability is available, and the vulnerability is not listed in CISA’s KEV catalog. Because the use‑after‑free occurs when a Ruby program reuses a parser instance across different symbol_keys settings, the attack vector is likely an attacker‑controlled script that has access to the application code or can inject code through a user input that is parsed with Oj. Fixing the issue requires an update to 3.17.2 or later, which eliminates the dangling pointer.

Generated by OpenCVE AI on July 1, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade oj to version 3.17.2 or newer in your application.
  • If your code needs to toggle symbol_keys, create a new Oj::Parser instance for each configuration instead of reusing one.
  • Scan your codebase for any usage of Oj::Parser that may be reused and enforce the above pattern or update to the patched gem.

Generated by OpenCVE AI on July 1, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2cw7-v8ff-p88r Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle
History

Tue, 30 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free. This issue has been fixed in version 3.17.2.
Title Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:03:15.696Z

Reserved: 2026-06-16T13:49:33.555Z

Link: CVE-2026-54899

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:00:07Z

Weaknesses