CVE-2026-33210

Summary

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Affected Software

VendorProductVersion RangeStatus
rubyjson>= 2.14.0, < 2.15.2.1affected
rubyjson>= 2.16.0, < 2.17.1.2affected
rubyjson>= 2.18.0, < 2.19.2affected

Weaknesses

  • CWE-134: CWE-134: Use of Externally-Controlled Format String

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection

Additional References

References