Ruby JSON CVE-2026-54696
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
AC:H retained for the ~16 KB string-size precision requirement; A:H assigned because the heap overflow reliably crashes the process, not merely degrades it.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an attacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.
AnalysisAI
Heap buffer overflow in the Ruby JSON gem's streaming generator (versions 2.9.0-2.19.8) enables reliable process crash via attacker-controlled serialized data. When applications invoke JSON.dump(obj, io) or JSON::State#generate(obj, io) to stream JSON to an IO object, the C-level generator can write past its internal buffer if the serialized object contains a string near 16 KB in size. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: (1) the application must invoke the streaming form of the JSON generator - specifically `JSON.dump(obj, io)` or `JSON::State#generate(obj, io)` where `io` is an IO object, not a String; and (2) the object being serialized must contain an attacker-controlled string value approaching 16 KB in length. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) scores 3.7 (Low), which is broadly consistent with the observed threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a JSON serialization request to a Ruby web application - for example, an API endpoint that reflects user-supplied data - where the handler calls `JSON.dump(payload, response_io)` to stream the response. By crafting a string value in the payload that is just under 16 KB, the attacker causes the C-level generator to write past its internal buffer on the heap, crashing the Ruby worker process and returning a 500 error or connection reset to the client. … |
| Remediation | Upgrade the Ruby JSON gem to version 2.19.9, which contains the vendor-confirmed fix per the GitHub release at https://github.com/ruby/json/releases/tag/v2.19.9 and the security advisory at https://github.com/ruby/json/security/advisories/GHSA-x2f5-4prf-w687. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
This affects the package json before 10.0.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable,
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. Rated critical severity (CVSS 9.8), this vulnerabil
JSON++ through 2016-06-15 has a buffer over-read in yyparse() in json.y. Rated critical severity (CVSS 9.8), this vulner
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. Rated high severity (CVSS 7.5), this vulnerability
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today