Out-of-Bounds Memory Access in Oj JSON Parser Affecting Ruby Applications
CVE-2026-54500
5.3MEDIUM
What is CVE-2026-54500?
The Oj (Optimized JSON) parser, a Ruby gem, has a vulnerability in versions prior to 3.17.3 where the method Oj.load in :object mode can read uninitialized stack memory. When parsing a JSON object with keys 254 bytes or longer, the library inadvertently discloses sensitive data from the process stack. This happens due to improper memory handling in the underlying C code during key parsing, potentially leading to data exposure through interned symbols or encoding errors. Updating to version 3.17.3 remedies this issue by correcting the handling of memory allocation.
Affected Version(s)
oj < 3.17.3
