Impact
Oj, the Optimized JSON Ruby gem, contains a negative-size memcpy bug in its parser when the create_id option is enabled. If a JSON object key is exactly 65,535 bytes long, an integer truncation turns the length into −1 before calling memcpy. This results in an overflow of the size parameter, causing memcpy to copy SIZE_MAX bytes. The effect is heap corruption that can crash the process or, in the right conditions, lead to arbitrary code execution. The vulnerability is triggered by a maliciously crafted JSON string and does not require additional user interaction.
Affected Systems
The affected product is the Oj gem for Ruby, version 3.17.1 and earlier. The issue is documented for vendors using the ohler55:oj library in environments that enable the create_id feature. Versions 3.17.2 and later contain a fixed parser implementation.
Risk and Exploitability
The CVSS score of 6.3 tags the issue as moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating a low to moderate likelihood of exploitation in the wild. Attackers can cause denial of service or potentially execute arbitrary code by supplying a specially crafted JSON document with a 65,535‑character key to an application that uses the vulnerable version of Oj with create_id enabled. In the absence of further mitigations, this represents a non‑negligible risk to applications that parse untrusted JSON payloads.
OpenCVE Enrichment
Github GHSA