Oj - intern.c form_attr (uninitialized stack read)
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54500 (NVD)
- GHSA: GHSA-fm7p-mprw-wjm9
GEM
SEVERITY
CVSS v3.x: 5.3 (Medium)
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Oj.load in :object mode reads uninitialized stack memory (and,
for long keys, reads out of bounds) when parsing a JSON object whose
key is 254 bytes or longer. The interned bytes can surface to the
caller, disclosing process stack memory.
Impact
Information disclosure of process stack memory to a caller that parses
untrusted JSON with Oj.load(..., mode: :object). For keys >= 256
bytes it is also an out-of-bounds read (CWE-125).
Severity is bounded by several preconditions: it requires :object
mode (which is already discouraged for untrusted input), the leaked
bytes are uncontrolled (the attacker cannot choose what is disclosed),
and the data only reaches an attacker if the application surfaces the
resulting Symbol or EncodingError back to them. Scored CVSS 5.3
(Medium) on that basis.
Patches
Fixed in 3.17.3: form_attr() now passes b to rb_intern3 (a
one-character change mirroring the earlier usual.c fix). Verified on
the fixed build: the same payload returns cleanly with no leak across
repeated runs.
Credit
Reported by Zac Wang (@7a6163).
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54500
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9
- https://github.com/advisories/GHSA-fm7p-mprw-wjm9