File tree Expand file tree Collapse file tree 1 file changed +35
-0
lines changed
Expand file tree Collapse file tree 1 file changed +35
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ gem : json
3+ cve : 2026-33210
4+ ghsa : 3m6g-2423-7cp3
5+ url : https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
6+ title : Ruby JSON has a format string injection vulnerability
7+ date : 2026-03-19
8+ description : |
9+ ### Impact
10+
11+ A format string injection vulnerability than that lead to denial of
12+ service attacks or information disclosure, when the `allow_duplicate_key:
13+ false` parsing option is used to parse user supplied documents.
14+
15+ This option isn't the default, if you didn't opt-in to use it,
16+ you are not impacted.
17+
18+ ### Patches
19+
20+ Patched in `2.19.2`.
21+
22+ ### Workarounds
23+
24+ The issue can be avoided by not using the `allow_duplicate_key: false`
25+ parsing option.
26+ unaffected_versions :
27+ - " < 2.14.0"
28+ patched_versions :
29+ - " ~> 2.15.2.1"
30+ - " ~> 2.17.1.2"
31+ - " >= 2.19.2"
32+ related :
33+ url :
34+ - https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
35+ - https://github.com/advisories/GHSA-3m6g-2423-7cp3
You can’t perform that action at this time.
0 commit comments