Impact
The vulnerability in Oj, a Ruby JSON parsing library, is a classic use‑after‑free (CWE‑416). When the parser runs in SAJ mode, it does not guard larger cached object keys from garbage collection. A Ruby callback that forces GC during the hash end can reclaim the key string while the native C parser still holds a pointer to it. The code then accesses the freed memory, leading to a segmentation fault with a canary‑style pattern that suggests control over the freed payload. While the description only demonstrates a crash, the pattern implies that an attacker could potentially manipulate the freed memory and execute arbitrary code.
Affected Systems
All Ruby applications that depend on the ohler55:oj gem before version 3.17.2 and are configured to use SAJ mode are affected. This includes projects using Oj 3.15.x or 3.16.x in any Ruby environment where long key strings (35 bytes or more) are processed through SAJ parsing.
Risk and Exploitability
The CVSS score of 6.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale exploitation is not yet observed. However, since the flaw requires triggering a GC during hash processing in SAJ mode, an attacker would need to control the Ruby callback or the parsing context. If an attacker can inject code that forces GC at the vulnerable moment, memory corruption could lead to arbitrary code execution or denial of service. The risk remains moderate to high in environments that rely heavily on SAJ parsing with long keys.
OpenCVE Enrichment
Github GHSA