RubySec

Providing security resources for the Ruby community

CVE-2022-32511 (jmespath): JMESPath for Ruby using JSON.load instead of JSON.parse

ADVISORIES

GEM

jmespath

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

  • >= 1.6.1

DESCRIPTION

jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.

RELATED

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories