Fluid Attacks Database

Description

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	json	>=2.18.0 <2.19.2 \|\| >=2.16.0 <2.17.1.2 \|\| >=2.14.0 <2.15.2.1	2.19.2, 2.17.1.2, 2.15.2.1
rpm rhel10	ruby4.0	<0:4.0.3-34.el10_2	0:4.0.3-34.el10_2
debian 14	ruby-json	=2.15.2+dfsg-1 \|\| =2.18.1+dfsg-1 \|\| =2.19.1+dfsg-1 \|\| =2.9.1+dfsg-1 \|\| >=0 <2.19.2+dfsg-1	2.19.2+dfsg-1
rpm rhel9	ruby	<0:4.0.3-32.module+el9.8.0+24280+122d8796	0:4.0.3-32.module+el9.8.0+24280+122d8796
rpm rhel10	ruby	-	-

Aliases

1. CVE-2026-332102. NVD-2026-332103. OSV-2026-332104. OSV-DEBIAN-2026-332105. GHSA-3m6g-2423-7cp36. GCVE-2026-332107. SECURITY-TRACKER-CVE-2026-33210

References

1. https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp32. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.