Impact
Oj.load uses a heap buffer that overflows when processing a JSON string larger than 2 GB, due to an unsigned integer wraparound in buf_append_string. The overflow turns a valid 2‑GB length into a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. The result is a crash and corruption of adjacent heap objects, which in turn can allow an attacker to execute arbitrary code or interfere with application logic. This flaw is identified as integer overflow (CWE‑190).
Affected Systems
Ruby applications that depend on the ohler55:oj gem, specifically Oj versions earlier than 3.17.2. Any environment that invokes Oj.load to parse untrusted or large JSON payloads is affected.
Risk and Exploitability
The CVSS score of 6.3 indicates a medium severity vulnerability, and the lack of an EPSS score suggests no publicly known exploit yet, though the risk of exploitation remains. Since the overflow occurs during JSON parsing, an attacker can trigger it by supplying a 2 GB or larger JSON document to any application using Oj.load, which can be achieved remotely if the application accepts JSON over a network interface. The flaw may lead to denial of service or, if adjacent memory is correctly controlled, arbitrary code execution. The vulnerability is not listed in the CISA KEV catalog, but the potential impact warrants proactive remediation.
OpenCVE Enrichment
Github GHSA