Skip to main content

Oj gem CVE-2026-54502

MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-19 https://github.com/ohler55/oj GHSA-3v45-f3vh-wg7m
6.3
CVSS 4.0 · Vendor: https://github.com/ohler55/oj
Share

Severity by source

Vendor (https://github.com/ohler55/oj) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Exploitation reaches Oj.dump via application input (AV:N, PR:N, UI:N) but requires the app to forward :indent unchanged, and demonstrated impact is a process crash only (A:L, C:N, I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/ohler55/oj).

CVSS VectorVendor: https://github.com/ohler55/oj

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 01, 2026 - 00:22 NVD
6.3 (MEDIUM)
Source Code Evidence Fetched
Jun 19, 2026 - 21:22 vuln.today
Analysis Generated
Jun 19, 2026 - 21:22 vuln.today

DescriptionCVE.org

Summary

Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the (size_t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/dump.h
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/dump.h, line 77:

c
static void fill_indent(Out out, int depth) {
    if (0 < out->opts->indent) {
        size_t len = (size_t)(out->opts->indent * depth);
        // ...
        memset(out->buf + ..., ' ', len);  // len = 2147483647 * depth

The indent option is accepted as a plain Ruby integer and stored as int without range validation. Multiplying by depth can produce a value larger than any stack or heap buffer.

ASAN report:

==69820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd1fc201278
WRITE of size 2147483647 at 0x7fd1fc201278 thread T0
    #0 memset
    #1 fill_indent  /ext/oj/dump.h:77
    #2 dump_array   /ext/oj/dump_compat.c:165
    #3 oj_dump_obj_to_json_using_params  /ext/oj/dump.c:818
    #4 dump_body    /ext/oj/oj.c:1429
    #5 dump         /ext/oj/oj.c:1480
Address is in stack of thread T0 at offset 4728 in frame:
    #0 dump /ext/oj/oj.c:1453
  [544, 4728) 'out'  <== Memory access at offset 4728 overflows this variable

Reproduce

ruby
require "oj"
obj = [0]
Oj.dump(obj, mode: :compat, indent: 2_147_483_647)

Workaround

The develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.

AnalysisAI

Stack-based buffer overflow in the Oj Ruby JSON gem (versions prior to 3.17.3) allows a developer-controlled large :indent value passed to Oj.dump to overwrite up to 2 GB of stack memory, crashing the Ruby process. The flaw is reachable only when application code forwards an untrusted or extreme indent value into Oj.dump, and no public exploit identified at time of analysis demonstrates code execution beyond denial of service.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint forwarding indent option
Delivery
Submit indent value INT_MAX
Exploit
Oj.dump invokes fill_indent
Execution
memset overruns stack 'out' buffer
Persist
Ruby worker process crashes
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation Triggering the bug requires the application to call Oj.dump with the :indent option set to an attacker-influenced or extremely large integer (the PoC uses 2_147_483_647); the value must originate from outside the codebase, because no Oj defaults or internal callers pass such a value. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector (3.1 or 4.0), EPSS score, KEV status, or SSVC decision is provided in the input, so real-world risk must be inferred from the technical detail. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application accepts a user-supplied JSON formatting preference (for example, a pretty-print toggle that also passes a numeric indent width) and forwards that value into Oj.dump(obj, mode: :compat, indent: user_value). An attacker submits indent: 2147483647, fill_indent issues a multi-gigabyte memset against the 4 KB stack buffer, and the worker process crashes - repeated requests cause sustained denial of service. …
Remediation Vendor-released patch: upgrade the oj gem to version 3.17.3 or later (bundle update oj, then redeploy) as published in GHSA-3v45-f3vh-wg7m (https://github.com/ohler55/oj/security/advisories/GHSA-3v45-f3vh-wg7m). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit application inventory for Oj gem dependencies in all Gemfile.lock files and identify services accepting user input for JSON formatting/indent parameters. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy