Oj gem CVE-2026-54896
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Indent is a developer-controlled, non-public option so PR:H and AC:H; impact is realistically heap corruption causing crash, hence I:L/A:L and no confidentiality loss.
Primary rating from Vendor (https://github.com/ohler55/oj).
CVSS VectorVendor: https://github.com/ohler55/oj
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory.
Version
- Software: oj gem
- Affected: all versions with
ext/oj/dump.h - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/dump.h, line 75-77:
static void fill_indent(Out out, int depth) {
if (0 < out->opts->indent) {
memset(out->buf + out->cur, ' ', (size_t)(out->opts->indent * depth));When dumping an Exception object in :object mode, dump_obj_attrs calls fill_indent repeatedly for each attribute. The buffer is pre-allocated based on the serialized content but not the indentation overhead. With indent: 5000 the indent block for a nested object exceeds the remaining buffer space, producing a heap-buffer-overflow of size 5,000 at the end of the allocated region.
ASAN report:
==101656==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x527000022c5e
WRITE of size 5000 at 0x527000022c5e thread T0
#0 memset
#1 fill_indent /ext/oj/dump.h:77
#2 dump_obj_attrs /ext/oj/dump_object.c:552
#3 dump_obj /ext/oj/dump_object.c:80
#4 oj_dump_obj_val /ext/oj/dump_object.c:708
#5 oj_dump_obj_to_json_using_params /ext/oj/dump.c:817
#6 dump_body /ext/oj/oj.c:1429
#7 dump /ext/oj/oj.c:1480
0x527000022c5e is located 0 bytes after 13150-byte region [0x52700001f900, 0x527000022c5e)Reproduce
require "oj"
obj = Oj.load('{"^o":"RuntimeError"}', mode: :object)
Oj.dump(obj, mode: :object, indent: 5000)Workarounds
This is at the discretion of the developer and not a public facing option so the workaround is the develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.
AnalysisAI
Heap buffer overflow in the Ruby Oj gem (versions before 3.17.3) occurs when Oj.dump serializes Exception objects in :object mode with an extreme :indent value. The pre-allocated output buffer does not account for indent padding bytes, allowing writes past the heap region and corrupting adjacent memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific conditions all being true: (1) the application calls Oj.dump in :object mode (not :compat, :strict, or :rails mode), (2) the serialized value is or contains an Exception object so dump_obj_attrs is reached, and (3) the :indent option is set to an extreme value (the advisory demonstrates 5000) - either hard-coded or, more dangerously, derived from attacker-controlled input. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS, EPSS, or KEV signal is provided in the input, so prioritization rests on the description and CWE-122 classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application using oj allows a user-tunable 'pretty print indent' field that is passed unchecked into Oj.dump in :object mode. An attacker submits a payload that causes an Exception to be serialized with indent set to a very large value, triggering the heap overflow and crashing the Ruby worker (denial of service), with theoretical potential for memory corruption depending on heap layout. … |
| Remediation | Upgrade the oj gem to the vendor-released patch version 3.17.3 (per the package metadata in the GitHub advisory at https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95) by updating the Gemfile constraint and running bundle update oj, then redeploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Ruby applications and services using the Oj gem; catalog current versions and affected deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-35w3-pjm6-wj95