CVE-2026-33210 (json): Ruby JSON has a format string injection vulnerability

Ruby JSON has a format string injection vulnerability

Published: March 19, 2026

SECURITY IDENTIFIERS

CVE: CVE-2026-33210 (NVD)
GHSA: GHSA-3m6g-2423-7cp3
Vendor Advisory: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3

GEM

json

UNAFFECTED VERSIONS

< 2.14.0

PATCHED VERSIONS

~> 2.15.2.1 ~> 2.17.1.2 >= 2.19.2

DESCRIPTION

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
https://github.com/advisories/GHSA-3m6g-2423-7cp3

RubySec