Primary

Context

Ruby JSON Format String Injection Vulnerability Leading to Denial-of-Service and Information Disclosure

Vulnerability

A format string injection vulnerability has been identified in Ruby JSON versions 2.14.0 prior to 2.15.2.1, 2.17.1.2, and 2.19.2. This vulnerability can lead to denial-of-service attacks or information disclosure when the 'allow_duplicate_key: false' parsing option is used with user-supplied documents. The issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Impact

Exploitation of this vulnerability can cause denial-of-service conditions or unauthorized information disclosure.

Remediation

Users can upgrade to Ruby JSON versions 2.15.2.1, 2.17.1.2, or 2.19.2 to address this vulnerability. If an upgrade is not possible, the issue can be avoided by not using the 'allow_duplicate_key: false' parsing option.

Added: Mar 20, 2026, 11:27 PM

Updated: Mar 20, 2026, 11:27 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.6

remediation

0.0

relevance

4.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.6

remediation

0.0

relevance

4.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ruby JSON Format String Injection Vulnerability Leading to Denial-of-Service and Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating