Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, `b`, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. This issue has been fixed in version 3.17.3.
Severity (CVSS)
| Base score | 5.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Provided by | CNA |
Weaknesses
- CWE-125 — CWE-125: Out-of-bounds Read
- CWE-908 — CWE-908: Use of Uninitialized Resource
Affected products
| Vendor | Product | Versions |
|---|---|---|
| ohler55 | oj | < 3.17.3 |
References
- https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9 (x_refsource_CONFIRM)
Generated from the official CVE List on 01 Jul 2026 07:05 UTC.