Lucene search
K

168 matches found

debiancve
debiancve
added 2026/06/30 11:10 p.m.4 views

CVE-2026-54502

Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fillindent in dump.h calls memsetindentstr, ' ', sizetopts-indent without...

6.3CVSS6.1AI score0.00257EPSS
Exploits0
cve
cve
added 2026/06/30 11:8 p.m.27 views

CVE-2026-54500

Oj (Optimized JSON) is a Ruby gem for JSON parsing/ marshalling. Affects versions prior to 3.17.3 where Oj.load in mode :object reads uninitialized stack memory when a JSON object has a long key (254+ bytes). In ext/oj/intern.c, form_attr() passes an uninitialized stack buffer to rb_intern3(), ca...

5.3CVSS5.9AI score0.00197EPSS
Exploits0References1
debiancve
debiancve
added 2026/06/30 11:8 p.m.6 views

CVE-2026-54500

Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory and, for long keys, reads out of bounds when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surfac...

5.3CVSS5.9AI score0.00197EPSS
Exploits0
cve
cve
added 2026/06/30 11:3 p.m.27 views

CVE-2026-54899

Oj (Optimized JSON) is a Ruby gem for JSON parsing/marshalling. Prior to 3.17.2, disabling symbol_keys on a reused Oj::Parser can cause a heap use-after-free when toggling symbol_keys from true to false: opt_symbol_keys_set frees the internal key cache but does not clear the pointer, so the next ...

6.3CVSS5.7AI score0.00428EPSS
Exploits0References1
debiancve
debiancve
added 2026/06/30 11:3 p.m.6 views

CVE-2026-54899

Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbolkeys on a reused Oj::Parser instance triggers a heap use-after-free. When symbolkeys is toggled from true to false, optsymbolkeysset frees the internal key cache cachefree but...

6.3CVSS5.7AI score0.00428EPSS
Exploits0
osv
osv
added 2026/06/19 8:47 p.m.5 views

GHSA-475M-PH3X-64GP Oj: Integer Overflow in Oj.load 2GB String Handling

Summary Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in bufappendstring buf.h:61 converts the string length to a large negative sizet, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process...

8.7CVSS5.9AI score0.00253EPSS
Exploits0References2
snyk
snyk
added 2026/06/19 8:47 p.m.5 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the Oj::Parser when operating in SAJ mode with object keys of 35 bytes or longer. An attacker can cause a segmentation fault by triggering garbage collection within a callback, leading to use of a freed memory pointer...

8.7CVSS5.9AI score0.00253EPSS
Exploits0References2
github
github
added 2026/06/19 8:47 p.m.11 views

Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback

Summary Oj::Parser in SAJ mode does not protect cached object keys ≥ 35 bytes from garbage collection. A Ruby callback that triggers GC inside hashend can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results i...

6.3CVSS5.8AI score0.00253EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/06/19 8:47 p.m.5 views

GHSA-VWM4-62GF-X745 Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking

Summary Oj::Parser in usual mode does not mark arrayclass and hashclass references during garbage collection. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed...

8.7CVSS5.8AI score0.00253EPSS
Exploits0References2
osv
osv
added 2026/06/19 8:47 p.m.7 views

GHSA-9CV6-QCJW-4GRX Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling

Summary Oj::Parserparse in usual mode with createid enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in formattr usual.c:63 converts the length to -1 before passing it to memcpy. This causes memcpy to...

8.7CVSS5.9AI score0.00253EPSS
Exploits0References2
github
github
added 2026/06/19 8:47 p.m.10 views

Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling

Summary Oj::Parserparse in usual mode with createid enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in formattr usual.c:63 converts the length to -1 before passing it to memcpy. This causes memcpy to...

6.3CVSS5.9AI score0.00253EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/06/19 7:36 p.m.6 views

GHSA-Q2GM-54R6-8FWM Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation

Summary Oj::Parserparse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte pointer into the Ruby string's internal buffer. If a callback e.g. hashstart resizes the string — for example by calling...

8.7CVSS6.1AI score0.00117EPSS
Exploits0References2
github
github
added 2026/06/19 7:36 p.m.12 views

Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation

Summary Oj::Parserparse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte pointer into the Ruby string's internal buffer. If a callback e.g. hashstart resizes the string — for example by calling...

2.1CVSS6.1AI score0.00117EPSS
Exploits0References2Affected Software1
snyk
snyk
added 2026/06/19 7:36 p.m.6 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the eachvalue, eachchild, or eachleaf iterators when a Ruby block executed during iteration calls the close method on the document or its child nodes. An attacker can cause memory corruption by invoking close within a...

8.2CVSS5.9AI score0.00117EPSS
Exploits0References2
osv
osv
added 2026/06/19 7:36 p.m.6 views

GHSA-9PPP-W3G4-FH4Q Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close

Summary Oj::Doc iterators eachvalue, eachchild, eachleaf are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator rea...

8.7CVSS6.1AI score0.00117EPSS
Exploits0References2
github
github
added 2026/06/19 7:36 p.m.14 views

Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close

Summary Oj::Doc iterators eachvalue, eachchild, eachleaf are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator rea...

2.1CVSS6.1AI score0.00117EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/06/19 7:36 p.m.6 views

GHSA-35W3-PJM6-WJ95 Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent

Summary Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the...

8.7CVSS6.2AI score0.00119EPSS
Exploits0References2
github
github
added 2026/06/19 7:36 p.m.13 views

Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent

Summary Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the...

2.1CVSS6.2AI score0.00119EPSS
Exploits0References2Affected Software1
snyk
snyk
added 2026/06/19 7:36 p.m.6 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write through recursive calls to the eachchild function when processing deeply nested input. An attacker can cause the process to crash and trigger a denial of service by supplying a specially crafted, deeply nested JSON...

8.7CVSS5.9AI score0.00263EPSS
Exploits0References3
osv
osv
added 2026/06/19 7:35 p.m.7 views

GHSA-FM7P-MPRW-WJM9 Oj: intern.c form_attr (uninitialized stack read)

Summary Oj.load in :object mode reads uninitialized stack memory and, for long keys, reads out of bounds when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. Details In ext/oj/intern.c, formattr handles the...

5.3CVSS6.1AI score0.00197EPSS
Exploits0References2
Rows per page
Query Builder