Impact
The vulnerability is a use‑after‑free in the Oj JSON library. When a developer disables the symbol_keys option on a parser that was previously used with symbol keys, the internal key cache is freed but its pointer is not cleared. A subsequent parse call then reads from this released memory, which can corrupt the process’s heap. The attacker could potentially read sensitive data or overwrite memory, leading to arbitrary code execution depending on the surrounding code.
Affected Systems
The affected software is the Ruby gem oj version 3.17.1 and earlier. The open‑source library is provided by ohler55 and is commonly used in Ruby applications that parse JSON.
Risk and Exploitability
The CVSS score of 6.3 indicates a moderate severity. No exploit probability is available, and the vulnerability is not listed in CISA’s KEV catalog. Because the use‑after‑free occurs when a Ruby program reuses a parser instance across different symbol_keys settings, the attack vector is likely an attacker‑controlled script that has access to the application code or can inject code through a user input that is parsed with Oj. Fixing the issue requires an update to 3.17.2 or later, which eliminates the dangling pointer.
OpenCVE Enrichment
Github GHSA