Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle
Description
Summary
Disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free.
Version
- Software: oj gem
- Affected: all versions with
ext/oj/usual.c - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/usual.c, opt_symbol_keys_set:
// usual.c:1043–1051
if (symbol_keys) {
d->key_cache = cache_create(...); // allocate
} else {
cache_free(d->key_cache); // free — but d->key_cache pointer not NULLed
}
On the next parse call, cache_key → cache_intern reads from d->key_cache which now points to freed memory.
ASAN report: `` ==145265==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b00001a318 READ of size 8 at 0x50b00001a318 thread T0 #0 cache_intern /ext/oj/cache.c:328 #1 cache_key /ext/oj/usual.c:161 #2 close_object /ext/oj/usual.c:285 #3 parse /ext/oj/parser.c:693 #4 parser_parse /ext/oj/parser.c:1408 freed by thread T0 here: #0 free #1 cache_free /ext/oj/cache.c:277 #2 opt_symbol_keys_set /ext/oj/usual.c:1051 #3 option /ext/oj/usual.c:1111 #4 parser_missing /ext/oj/parser.c:1362 0x50b00001a318 is 40 bytes inside freed 112-byte region [fd]fd fd fd fd fd fd fd ``
Reproduce
require 'oj'
p = Oj::Parser.new(:usual, symbol_keys: true)
p.symbol_keys = false # frees cache without nulling pointer
p.parse('{"attacker":1}') # UAF: reads freed cache
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing NULL assignment after freeing the key cache pointer in opt_symbol_keys_set leads to a use-after-free."
Attack vector
An attacker who can control the JSON input passed to a reused `Oj::Parser` instance can trigger a heap use-after-free. The precondition is that the parser was first configured with `symbol_keys: true` and then `symbol_keys` is set to `false` without creating a new parser instance. The next call to `parse` with attacker-controlled JSON (e.g. `{'attacker':1}`) reads from the freed key cache via `cache_intern`, which can lead to information disclosure or code execution [ref_id=1][ref_id=2].
Affected code
The bug is in `ext/oj/usual.c` in the `opt_symbol_keys_set` function (lines 1043–1051). When `symbol_keys` is toggled from `true` to `false`, `cache_free(d->key_cache)` is called but the `d->key_cache` pointer is not set to NULL. On the next parse call, `cache_key` → `cache_intern` reads from the freed pointer, causing a use-after-free [ref_id=1][ref_id=2].
What the fix does
The patch must set `d->key_cache = NULL` after `cache_free(d->key_cache)` in the `else` branch of `opt_symbol_keys_set`. Without this fix, the dangling pointer is used on the next parse call. The advisory does not show a published patch diff, but the remediation is to add the NULL assignment so that subsequent `cache_intern` calls either see a valid cache or a NULL pointer that can be checked before use [ref_id=1][ref_id=2].
Preconditions
- configThe Oj::Parser instance must be reused after toggling symbol_keys from true to false.
- inputThe attacker must supply the JSON string that is parsed after the toggle.
Reproduction
```ruby require 'oj' p = Oj::Parser.new(:usual, symbol_keys: true) p.symbol_keys = false # frees cache without nulling pointer p.parse('{"attacker":1}') # UAF: reads freed cache ```
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.