Out-of-Bounds Memory Access in Oj JSON Parser Affecting Ruby Applications
CVE-2026-54500

5.3MEDIUM

Key Information:

Vendor

Ohler55

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-54500?

The Oj (Optimized JSON) parser, a Ruby gem, has a vulnerability in versions prior to 3.17.3 where the method Oj.load in :object mode can read uninitialized stack memory. When parsing a JSON object with keys 254 bytes or longer, the library inadvertently discloses sensitive data from the process stack. This happens due to improper memory handling in the underlying C code during key parsing, potentially leading to data exposure through interned symbols or encoding errors. Updating to version 3.17.3 remedies this issue by correcting the handling of memory allocation.

Affected Version(s)

oj < 3.17.3

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.