High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 23, 2026
Ruby JSON has a format string injection vulnerability
CVE-2026-33210
Description
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsonRubyGems | >= 2.18.0, < 2.19.2 | 2.19.2 |
jsonRubyGems | >= 2.16.0, < 2.17.1.2 | 2.17.1.2 |
jsonRubyGems | >= 2.14.0, < 2.15.2.1 | 2.15.2.1 |
Affected products
72- osv-coords71 versionspkg:apk/chainguard/cinc-auditorpkg:apk/chainguard/gitlab-exporter-18.9pkg:apk/chainguard/logstash-9.2pkg:apk/chainguard/logstash-9.2-iamguarded-compatpkg:apk/chainguard/logstash-9.2-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.3-with-output-opensearchpkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.16-kinesispkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.16-kinesispkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/chainguard/ruby3.3-rails-8.1pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.16-kinesispkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/chainguard/ruby3.4-rails-8.1pkg:apk/chainguard/ruby-4.0pkg:apk/chainguard/ruby4.0-fluentd-kubernetes-daemonset-1.16-kinesispkg:apk/chainguard/ruby4.0-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/chainguard/ruby4.0-rails-8.1pkg:apk/wolfi/cinc-auditorpkg:apk/wolfi/logstash-9.2pkg:apk/wolfi/logstash-9.2-iamguarded-compatpkg:apk/wolfi/logstash-9.2-with-output-opensearchpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.3-with-output-opensearchpkg:apk/wolfi/ruby3.2-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.3-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/wolfi/ruby3.3-rails-8.1pkg:apk/wolfi/ruby3.4-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/wolfi/ruby3.4-rails-8.1pkg:apk/wolfi/ruby-4.0pkg:apk/wolfi/ruby4.0-fluentd-kubernetes-daemonset-1.19-kinesispkg:apk/wolfi/ruby4.0-rails-8.1pkg:gem/jsonpkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby4.0pkg:rpm/almalinux/ruby4.0-develpkg:rpm/almalinux/ruby4.0-docpkg:rpm/almalinux/ruby4.0-rubygem-mysql2pkg:rpm/almalinux/ruby4.0-rubygem-pgpkg:rpm/almalinux/ruby-bundled-gemspkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-raccpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rbspkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygem-rexmlpkg:rpm/almalinux/rubygem-rsspkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-typeprofpkg:rpm/almalinux/ruby-libs
< 7.0.107-r1+ 70 more
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 18.9.2-r1
- (no CPE)range: < 9.2.7-r1
- (no CPE)range: < 9.2.7-r1
- (no CPE)range: < 9.2.7-r1
- (no CPE)range: < 9.3.2-r1
- (no CPE)range: < 9.3.2-r1
- (no CPE)range: < 9.3.2-r1
- (no CPE)range: < 1.16.11.1.0-r1
- (no CPE)range: < 1.19.2.1.1-r2
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 1.16.11.1.0-r1
- (no CPE)range: < 1.19.2.1.3-r0
- (no CPE)range: < 8.1.2.1-r0
- (no CPE)range: < 1.16.11.1.0-r1
- (no CPE)range: < 1.19.2.1.3-r0
- (no CPE)range: < 8.1.2.1-r0
- (no CPE)range: < 4.0.2-r1
- (no CPE)range: < 1.16.11.1.0-r2
- (no CPE)range: < 1.19.2.1.3-r0
- (no CPE)range: < 8.1.2.1-r0
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 9.2.7-r1
- (no CPE)range: < 9.2.7-r1
- (no CPE)range: < 9.2.7-r1
- (no CPE)range: < 9.3.2-r1
- (no CPE)range: < 9.3.2-r1
- (no CPE)range: < 9.3.2-r1
- (no CPE)range: < 1.19.2.1.1-r2
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 1.19.2.1.3-r0
- (no CPE)range: < 8.1.2.1-r0
- (no CPE)range: < 1.19.2.1.3-r0
- (no CPE)range: < 8.1.2.1-r0
- (no CPE)range: < 4.0.2-r1
- (no CPE)range: < 1.19.2.1.3-r0
- (no CPE)range: < 8.1.2.1-r0
- (no CPE)range: >= 2.18.0, < 2.19.2
- (no CPE)range: < 4.0.3-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.3-34.el10_2
- (no CPE)range: < 4.0.3-34.el10_2
- (no CPE)range: < 4.0.3-34.el10_2
- (no CPE)range: < 0.5.7-34.el10_2
- (no CPE)range: < 1.6.3-34.el10_2
- (no CPE)range: < 4.0.3-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.3-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.3-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.3-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.1-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.6-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 0.8.2-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 1.16.0-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 2.18.0-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 6.0.0-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 0.5.7-1.module_el9.8.0+232+50f6dd36
- (no CPE)range: < 0.5.7-1.module_el9.8.0+232+50f6dd36
- (no CPE)range: < 1.6.3-1.module_el9.8.0+232+50f6dd36
- (no CPE)range: < 1.6.3-1.module_el9.8.0+232+50f6dd36
- (no CPE)range: < 3.0.1-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 5.3.1-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 1.8.1-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 13.3.1-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 3.10.0-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 7.0.3-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 3.4.4-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 0.3.2-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.6-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.6-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 3.7.5-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 0.31.1-32.module_el9.8.0+251+5fdbd96b
- (no CPE)range: < 4.0.3-32.module_el9.8.0+251+5fdbd96b
- ruby/jsonv5Range: >= 2.14.0, < 2.15.2.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-3m6g-2423-7cp3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33210ghsaADVISORY
- github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.ymlghsaWEB
News mentions
0No linked articles in our index yet.