CVE-2026-33210 (json): Ruby JSON has a format string injection vulnerability

ADVISORIES

CVE-2026-33210 (NVD)
GHSA-3m6g-2423-7cp3
Vendor Advisory

GEM

json

UNAFFECTED VERSIONS

< 2.14.0

PATCHED VERSIONS

~> 2.15.2.1
~> 2.17.1.2
>= 2.19.2

DESCRIPTION

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
https://github.com/advisories/GHSA-3m6g-2423-7cp3

RubySec