Skip to main content

Oj Ruby Gem CVE-2026-54500

MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-19 https://github.com/ohler55/oj
5.3
CVSS 3.1 · Vendor: https://github.com/ohler55/oj
Share

Severity by source

Vendor (https://github.com/ohler55/oj) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network delivery of arbitrary JSON requires no authentication; impact is limited to low confidentiality (uncontrolled stack bytes); no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/ohler55/oj).

CVSS VectorVendor: https://github.com/ohler55/oj

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:46 vuln.today
Analysis Generated
Jun 19, 2026 - 21:46 vuln.today

DescriptionCVE.org

Summary

Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory.

Details

In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer b, populating it with the attribute name, and then freeing it - but it passed the uninitialized stack buffer buf (not b) to rb_intern3():

c
static VALUE form_attr(const char *str, size_t len) {
    char buf[256];
    if (sizeof(buf) - 2 <= len) {        // long-key path (len >= 254)
        char *b = OJ_R_ALLOC_N(char, len + 2);
        // ... b is filled correctly ...
        id = rb_intern3(buf, len + 1, oj_utf8_encoding);   // BUG: reads `buf`
        OJ_R_FREE(b);
        return id;
    }
    // ...
}

rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf (CWE-125). The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents.

This is the same defect previously fixed in ext/oj/usual.c; intern.c held a duplicated copy of form_attr that was missed.

Proof of Concept

ruby
require 'oj'
key  = "A" * 300
json = %Q[{"^o":"Object","#{key}":1}]
Oj.load(json, mode: :object)

On affected versions this raises an EncodingError whose message contains ~1500 bytes of uninitialized stack memory (not the supplied "A"s). The leaked byte count varies between runs with the identical payload (e.g. 1491 vs 1516 bytes), confirming the content is uninitialized memory rather than fixed data.

Impact

Information disclosure of process stack memory to a caller that parses untrusted JSON with Oj.load(..., mode: :object). For keys >= 256 bytes it is also an out-of-bounds read (CWE-125).

Severity is bounded by several preconditions: it requires :object mode (which is already discouraged for untrusted input), the leaked bytes are uncontrolled (the attacker cannot choose what is disclosed), and the data only reaches an attacker if the application surfaces the resulting Symbol or EncodingError back to them. Scored CVSS 5.3 (Medium) on that basis.

Patches

Fixed in 3.17.3: form_attr() now passes b to rb_intern3 (a one-character change mirroring the earlier usual.c fix). Verified on the fixed build: the same payload returns cleanly with no leak across repeated runs.

Credit

Reported by Zac Wang (@7a6163).

AnalysisAI

Stack memory disclosure in the Oj RubyGem (all versions before 3.17.3) allows remote unauthenticated callers to recover uninitialized process stack contents by supplying a JSON object with keys of 254 bytes or longer to Oj.load in :object mode. The root cause is a copy-paste defect in ext/oj/intern.c where form_attr() allocates and fills a correct heap buffer b but then erroneously passes the uninitialized 256-byte stack buffer buf to rb_intern3(), causing leaked bytes to surface in the returned Symbol or an EncodingError message. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted JSON with 254+ byte key
Delivery
Trigger long-key branch in form_attr()
Exploit
rb_intern3 reads uninitialized stack buffer buf
Execution
EncodingError raised containing raw stack bytes
Persist
Application returns error details to caller
Impact
Attacker extracts leaked stack memory

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the application explicitly calls `Oj.load` with `mode: :object` - this is a non-default mode passed intentionally by the developer, not the Oj default; (2) the attacker can supply or influence the JSON string being parsed; (3) the parsed JSON contains at least one key of 254 bytes or longer to enter the vulnerable code branch (keys of 253 bytes or fewer are not affected); and (4) the application surfaces the resulting Symbol or `EncodingError` back to the attacker, either directly in a response body or via an accessible log or side channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N yields a score of 5.3 (Medium), which is consistent with the vulnerability mechanics: network delivery is trivial and no authentication is required to send JSON, but impact is bounded to low confidentiality with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an HTTP POST request to a web API endpoint that accepts JSON and internally calls `Oj.load(body, mode: :object)`, embedding a crafted JSON object with a 300-byte key such as `{"^o":"Object","<300 A chars>":1}`. The Oj parser triggers the vulnerable `form_attr()` branch, `rb_intern3` reads approximately 301 bytes of uninitialized stack memory, and the Ruby runtime raises an `EncodingError` whose message contains those raw bytes. …
Remediation Upgrade Oj to version 3.17.3 or later, which corrects `form_attr()` in `intern.c` to pass the correctly populated heap buffer `b` to `rb_intern3()` - a one-character fix mirroring the earlier repair in `usual.c`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy