CVE-2022-32511
Description
jmespath.rb before 1.6.1 uses JSON.load, enabling code execution from crafted JSON input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
jmespath.rb before 1.6.1 uses JSON.load, enabling code execution from crafted JSON input.
Vulnerability
jmespath.rb (JMESPath for Ruby) versions before 1.6.1 use JSON.load instead of JSON.parse when parsing scalar JSON values inside search expressions [1][2]. JSON.load can deserialize arbitrary Ruby objects, which can lead to code execution if the JSON contains malicious payloads. The vulnerable code path is triggered when JMESPath processes a search expression that involves scalar values (e.g., strings, numbers, booleans) [3].
Exploitation
An attacker can exploit this vulnerability by providing a crafted JSON expression that includes a malicious object payload. No authentication or special privileges are required; the attacker only needs to control the JSON data being searched by a vulnerable version of jmespath.rb. The victim application or user must process the malicious expression using the library.
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the process using jmespath.rb. This can lead to full compromise of the application, data exfiltration, or further lateral movement within the environment. The CVSS score is 9.8 (Critical) [2].
Mitigation
The vulnerability is fixed in jmespath.rb version 1.6.1, which replaces JSON.load with JSON.parse [1][3]. Users should upgrade to version 1.6.1 or later. No workaround exists other than avoiding untrusted JSON input until the upgrade is applied.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jmespathRubyGems | < 1.6.1 | 1.6.1 |
Affected products
22- jmespath.rb/jmespath.rbdescription
- osv-coords21 versionspkg:apk/chainguard/py3.10-jmespathpkg:apk/chainguard/py3.10-jmespath-binpkg:apk/chainguard/py3.11-jmespathpkg:apk/chainguard/py3.11-jmespath-binpkg:apk/chainguard/py3.12-jmespathpkg:apk/chainguard/py3.12-jmespath-binpkg:apk/chainguard/py3.13-jmespathpkg:apk/chainguard/py3.13-jmespath-binpkg:apk/chainguard/py3-jmespathpkg:apk/chainguard/py3-supported-jmespathpkg:apk/wolfi/py3.10-jmespathpkg:apk/wolfi/py3.10-jmespath-binpkg:apk/wolfi/py3.11-jmespathpkg:apk/wolfi/py3.11-jmespath-binpkg:apk/wolfi/py3.12-jmespathpkg:apk/wolfi/py3.12-jmespath-binpkg:apk/wolfi/py3.13-jmespathpkg:apk/wolfi/py3.13-jmespath-binpkg:apk/wolfi/py3-jmespathpkg:apk/wolfi/py3-supported-jmespathpkg:gem/jmespath
< 0+ 20 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.6.1
Patches
1e8841280053aMerge pull request #55 from jmespath/json-parse
4 files changed · +18 −17
bin/jmespath.rb+1 −1 modified@@ -6,6 +6,6 @@ require 'json' expression = ARGV[0] -json = JSON.load(STDIN.read) +json = JSON.parse(STDIN.read) $stdout.puts(JSON.dump(JMESPath.search(expression, json)))
CHANGELOG.md+4 −3 modified@@ -1,10 +1,12 @@ -1.6.0 (2022-02-14) +Unreleased Changes ------------------ +* Issue - Use `JSON.parse` instead of `JSON.load`. + 1.6.0 (2022-02-14) ------------------ -* Feature - Add support for string comparisions. +* Feature - Add support for string comparisons. 1.5.0 (2022-01-10) ------------------ @@ -230,4 +232,3 @@ ------------------ * Passing all of the JMESPath compliance tests. -
lib/jmespath/lexer.rb+11 −11 modified@@ -298,12 +298,12 @@ def inside(chars, delim, type) # Certain versions of Ruby and of the pure_json gem not support loading # scalar JSON values, such a numbers, booleans, strings, etc. These # simple values must be first wrapped inside a JSON object before calling - # `JSON.load`. + # `JSON.parse`. # # # works in most JSON versions, raises in some versions - # JSON.load("true") - # JSON.load("123") - # JSON.load("\"abc\"") + # JSON.parse("true") + # JSON.parse("123") + # JSON.parse("\"abc\"") # # This is an known issue for: # @@ -317,12 +317,12 @@ def inside(chars, delim, type) # causes issues in environments that cannot compile the gem. We previously # had a direct dependency on `json_pure`, but this broke with the v2 update. # - # This method allows us to detect how the `JSON.load` behaves so we know + # This method allows us to detect how the `JSON.parse` behaves so we know # if we have to wrap scalar JSON values to parse them or not. # @api private def self.requires_wrapping? begin - JSON.load('false') + JSON.parse('false') rescue JSON::ParserError true end @@ -332,12 +332,12 @@ def self.requires_wrapping? def parse_json(token, quoted = false) begin if quoted - token.value = JSON.load("{\"value\":#{token.value}}")['value'] + token.value = JSON.parse("{\"value\":#{token.value}}")['value'] else begin - token.value = JSON.load("{\"value\":#{token.value}}")['value'] + token.value = JSON.parse("{\"value\":#{token.value}}")['value'] rescue - token.value = JSON.load(sprintf('{"value":"%s"}', token.value.lstrip))['value'] + token.value = JSON.parse(sprintf('{"value":"%s"}', token.value.lstrip))['value'] end end rescue JSON::ParserError @@ -349,9 +349,9 @@ def parse_json(token, quoted = false) def parse_json(token, quoted = false) begin if quoted - token.value = JSON.load(token.value) + token.value = JSON.parse(token.value) else - token.value = JSON.load(token.value) rescue JSON.load(sprintf('"%s"', token.value.lstrip)) + token.value = JSON.parse(token.value) rescue JSON.parse(sprintf('"%s"', token.value.lstrip)) end rescue JSON::ParserError token.type = T_UNKNOWN
lib/jmespath.rb+2 −2 modified@@ -26,15 +26,15 @@ def search(expression, data, runtime_options = {}) data = case data when Hash, Struct then data # check for most common case first when Pathname then load_json(data) - when IO, StringIO then JSON.load(data.read) + when IO, StringIO then JSON.parse(data.read) else data end Runtime.new(runtime_options).search(expression, data) end # @api private def load_json(path) - JSON.load(File.open(path, 'r', encoding: 'UTF-8') { |f| f.read }) + JSON.parse(File.open(path, 'r', encoding: 'UTF-8') { |f| f.read }) end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/jmespath/jmespath.rb/pull/55nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-5c5f-7vfq-3732ghsaADVISORY
- github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-32511ghsaADVISORY
- stackoverflow.com/a/30050571/580231nvdThird Party AdvisoryWEB
- github.com/jmespath/jmespath.rb/commit/e8841280053a9d9a0c90f36223f926c8b9e4ec49ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/jmespath/CVE-2022-32511.ymlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/nvd
News mentions
0No linked articles in our index yet.