Heap Use-After-Free Vulnerability in Oj JSON Parser by Optimized JSON
CVE-2026-54897
What is CVE-2026-54897?
The 'Oj' (Optimized JSON) parser, a widely used JSON parser and object marshaller in the Ruby ecosystem, is affected by a heap use-after-free vulnerability in versions preceding 3.17.2. This vulnerability arises when iterators such as each_value, each_child, and each_leaf are executed in Ruby. If a Ruby block invokes a method that closes the document (doc.close or d.close) while the iterator is active, it leads to the freeing of the heap memory allocated for the document. Subsequently, when control returns to the iterator, it attempts to read from the now-freed memory space, causing undefined behavior and potential security risks. Users are strongly advised to upgrade to version 3.17.2 or later to mitigate this issue. For further details on the vulnerability, visit GitHub Advisory.
Affected Version(s)
oj < 3.17.2
