Ruby JSON has a format string injection vulnerability
Description
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A format string injection vulnerability in Ruby JSON versions 2.14.0 to before 2.15.2.1, 2.17.1.2, and 2.19.2 can cause denial of service or information disclosure when parsing user-supplied JSON with allow_duplicate_key: false.
Vulnerability
Overview
A format string injection vulnerability exists in the Ruby JSON gem, affecting versions 2.14.0 up to, but not including, the patched versions 2.15.2.1, 2.17.1.2, and 2.19.2 [1][3]. The flaw is triggered specifically when the allow_duplicate_key: false parsing option is used to process user-supplied JSON documents. The root cause is that user-controlled input is improperly handled as a format string, allowing an attacker to inject formatting directives.
Exploitation
The vulnerability is exploitable by providing a crafted JSON document that, when parsed with allow_duplicate_key: false, causes the Ruby JSON parser to interpret parts of the input as format string specifiers [1][3]. No authentication is required, and the attack vector is over the network, with low attack complexity and no special privileges needed [3]. The attacker only needs to supply a malicious JSON payload to an application that uses the vulnerable parsing option.
Impact
Successful exploitation can lead to denial of service (DoS) or information disclosure [1][3]. A DoS attack could crash the Ruby process or consume excessive resources, while information disclosure might leak sensitive memory contents, such as internal data or credentials, through the format string processing.
Mitigation
The issue has been patched in JSON gem versions 2.15.2.1, 2.17.1.2, and 2.19.2 [1][4]. Users are strongly advised to upgrade to one of these patched versions. No workarounds have been publicly documented beyond updating the gem.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsonRubyGems | >= 2.18.0, < 2.19.2 | 2.19.2 |
jsonRubyGems | >= 2.16.0, < 2.17.1.2 | 2.17.1.2 |
jsonRubyGems | >= 2.14.0, < 2.15.2.1 | 2.15.2.1 |
Affected products
2- ruby/jsonv5Range: >= 2.14.0, < 2.15.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3m6g-2423-7cp3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33210ghsaADVISORY
- github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.ymlghsaWEB
News mentions
0No linked articles in our index yet.