VYPR
← All advisories
High severityNVD Advisory· Published Mar 12, 2025· Updated Mar 12, 2025

Ruby JSON Parser has Out-of-bounds Read

CVE-2025-27788

Description

JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ruby JSON gem versions 2.10.0 and 2.10.1 have an out-of-bounds read vulnerability in JSON parsing, leading to a crash.

Description

CVE-2025-27788 affects the json gem for Ruby, versions 2.10.0 up to (but not including) 2.10.2. The vulnerability is an out-of-bounds read that occurs when parsing a specially crafted JSON document [1]. This flaw can cause the Ruby process to crash, as the parser attempts to read memory beyond the allocated buffer for the input string.

Exploitation

An attacker can exploit this vulnerability by supplying a malicious JSON document to an application that uses the vulnerable json gem for parsing. No special network position or authentication is required; the attack surface is any component that processes JSON input from untrusted sources, such as API endpoints or file upload handlers [2]. The out-of-bounds read is triggered during the parsing phase, before the document is fully validated.

Impact

The primary impact is a denial of service (DoS) condition, as the most likely outcome of the out-of-bounds read is a segmentation fault or other crash of the Ruby process [1]. While this is a read access, exploitation could potentially lead to information disclosure in certain edge cases, though the advisory emphasizes the crash as the primary risk.

Mitigation

The issue is fixed in version 2.10.2 of the json gem [1][4]. Users are strongly advised to update to this patched version immediately. No known workarounds exist; upgrading is the only remediation [1].

References
  1. NVD - CVE-2025-27788
  2. GitHub - ruby/json: JSON implementation for Ruby
  3. Release v2.10.2 · ruby/json

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jsonRubyGems
>= 2.10.0, < 2.10.22.10.2

Affected products

16

Patches

1
c56db31f800d

Merge commit from fork

https://github.com/ruby/jsonJean BoussierMar 12, 2025via ghsa
commit
2 files changed · +2 1
  • CHANGES.md+1 0 modified
    @@ -1,5 +1,6 @@
 # Changes
 
+* Fix a potential crash in the C extension parser.
 * Raise a ParserError on all incomplete unicode escape sequence. This was the behavior until `2.10.0` unadvertently changed it.
 * Ensure document snippets that are included in parser errors don't include truncated multibyte characters.
  • ext/json/ext/parser/parser.c+1 1 modified
    @@ -608,7 +608,7 @@ static VALUE json_string_unescape(JSON_ParserState *state, const char *string, c
     buffer = RSTRING_PTR(result);
     bufferStart = buffer;
 
-    while ((pe = memchr(pe, '\\', stringEnd - pe))) {
+    while (pe < stringEnd && (pe = memchr(pe, '\\', stringEnd - pe))) {
         unescape = (char *) "?";
         unescape_len = 1;
         if (pe > p) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.