Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oj.load uses a heap buffer that overflows when processing a JSON string larger than 2 GB, due to an unsigned integer wraparound in buf_append_string. The overflow turns a valid 2‑GB length into a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. The result is a crash and corruption of adjacent heap objects, which in turn can allow an attacker to execute arbitrary code or interfere with application logic. This flaw is identified as integer overflow (CWE‑190).

Affected Systems

Ruby applications that depend on the ohler55:oj gem, specifically Oj versions earlier than 3.17.2. Any environment that invokes Oj.load to parse untrusted or large JSON payloads is affected.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity vulnerability, and the lack of an EPSS score suggests no publicly known exploit yet, though the risk of exploitation remains. Since the overflow occurs during JSON parsing, an attacker can trigger it by supplying a 2 GB or larger JSON document to any application using Oj.load, which can be achieved remotely if the application accepts JSON over a network interface. The flaw may lead to denial of service or, if adjacent memory is correctly controlled, arbitrary code execution. The vulnerability is not listed in the CISA KEV catalog, but the potential impact warrants proactive remediation.

Generated by OpenCVE AI on July 1, 2026 at 03:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oj gem to version 3.17.2 or newer, which contains a safeguard against processing strings larger than 2 GB.
  • If a quick upgrade is not possible, restrict the size of JSON input that is fed to Oj.load to less than 2 GB and add explicit validation before parsing.
  • Consider replacing Oj.load with a safer JSON parser such as Ruby's built‑in JSON.parse for untrusted data or adding a wrapper that checks input length before parsing.

Generated by OpenCVE AI on July 1, 2026 at 03:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-475m-ph3x-64gp Oj: Integer Overflow in Oj.load 2GB String Handling
History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.
Title Oj: Integer Overflow in Oj.load 2GB String Handling
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:42:06.777Z

Reserved: 2026-06-16T13:49:33.555Z

Link: CVE-2026-54903

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:15:15Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound