Skip to main content

Oj gem CVE-2026-54903

MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-19 https://github.com/ohler55/oj GHSA-475m-ph3x-64gp
6.3
CVSS 4.0 · Vendor: https://github.com/ohler55/oj
Share

Severity by source

Vendor (https://github.com/ohler55/oj) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable via any endpoint calling Oj.load; AC:H because exploitation requires delivering a >2GB payload past typical body limits; PR:N/UI:N; impact is process crash, so only A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/ohler55/oj).

CVSS VectorVendor: https://github.com/ohler55/oj

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 01, 2026 - 00:22 NVD
6.3 (MEDIUM)
Source Code Evidence Fetched
Jun 19, 2026 - 21:36 vuln.today
Analysis Generated
Jun 19, 2026 - 21:36 vuln.today

DescriptionCVE.org

Summary

Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/buf.h and ext/oj/parse.c
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/buf.h, line 61:

c
inline static void buf_append_string(Buf buf, const char *s, size_t slen) {
    // ...
    memcpy(buf->tail, s, slen);   // slen derived from 32-bit int that wrapped negative

In parse.c, escape sequence handling computes the remaining string length as an int:

c
// parse.c:402 (read_escaped_str)
int  slen = (int)(s - str);   // ← wraps to negative when string > 2 GB
buf_append_string(buf, str, (size_t)slen);  // ← (size_t)(-2147483648) = 0x80000000...

ASAN report:

==399019==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 __asan_memcpy
    #1 buf_append_string  /ext/oj/buf.h:61
    #2 read_escaped_str   /ext/oj/parse.c:402
    #3 read_str           /ext/oj/parse.c:542
    #4 oj_parse2          /ext/oj/parse.c:882
    #5 oj_pi_parse        /ext/oj/parse.c:1256
    #6 oj_object_parse    /ext/oj/object.c:701
    #7 load               /ext/oj/oj.c:1259
0x7f5a26ff0801 is located 1 bytes inside of 2147483657-byte region [0x7f5a26ff0800, 0x7f5aa6ff0809)

Reproduce

ruby
require 'oj'
n = 1 << 31
# 2 GB
json = '"' + ('A' * n) + 'A"'
# >2GB JSON string with a trailing escape
Oj.load(json)

AnalysisAI

Heap corruption in the Ruby Oj JSON parser (Oj.load) is triggered when applications process attacker-controlled JSON strings larger than 2 GB containing an escape sequence, due to an integer overflow in read_escaped_str that wraps a 32-bit length to a negative value and is then cast to size_t, causing memcpy to copy ~2 GB out of bounds. Versions of the oj gem prior to 3.17.3 are affected, and no public exploit identified at time of analysis; CVSS and EPSS are not provided.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify endpoint calling Oj.load on user input
Delivery
Craft >2GB JSON string with escape
Exploit
Submit oversized payload to target
Install
Trigger integer overflow in read_escaped_str
C2
Negative size_t passed to memcpy
Execute
Out-of-bounds copy corrupts heap
Impact
Worker process crash / denial of service

Vulnerability AssessmentAI

Exploitation The vulnerable application must call `Oj.load` (or an equivalent Oj parsing entry point reaching `read_escaped_str`) on attacker-controlled input, the input JSON must exceed 2 GB (2^31 bytes) so that the `int` length calculation wraps negative, and the oversized string must contain at least one escape sequence to enter the `read_escaped_str` path shown in the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS, EPSS, KEV, or SSVC data is provided, so risk must be inferred from the description, advisory, and code path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a JSON document larger than 2 GB containing an escaped character (e.g. a 2 GB string ending in a backslash escape) to an endpoint that calls `Oj.load` on the request body; the integer-overflowed length triggers an out-of-bounds `memcpy` that crashes the worker process and may corrupt heap memory, taking the service offline. …
Remediation Vendor-released patch: upgrade the `oj` gem to version 3.17.3 or later (advisory GHSA-475m-ph3x-64gp at https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp), e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Ruby applications and identify those using the Oj gem; implement JSON input size limits (maximum 2 GB) as immediate mitigation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy