Buffer Overflow Vulnerability in Oj JSON Parser by Ohler55
CVE-2026-54592
7.5HIGH
What is CVE-2026-54592?
The Oj JSON parser, developed by Ohler55, is vulnerable to a buffer overflow attack that can lead to denial of service (DoS). This occurs in versions before 3.17.3 when the Oj::Doc#each_child method is executed recursively over deeply nested JSON documents. The issue stems from the lack of bounds checking that allows the method to increment a fixed-size stack buffer beyond its allocated size. This flaw can be exploited by an attacker using deeply nested JSON input, causing the parser to overwrite memory and crash the process. The vulnerability has been addressed in version 3.17.3.
Affected Version(s)
oj < 3.17.3
