Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions gems/json/CVE-2026-54696.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
gem: json
cve: 2026-54696
ghsa: x2f5-4prf-w687
url: https://nvd.nist.gov/vuln/detail/CVE-2026-54696
title: JSON generator heap buffer overflow when streaming to an IO
date: 2026-06-30
description: |
Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through
2.19.8 are vulnerable to heap buffer overflow when the JSON generator
is provided with an oversized streamed object.

When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io)
can write past the internal JSON generator buffer when a streamed
object contains an attacker-controlled string near 16 KB. Exploitation
would result in a reliable process crash/denial of service.

This was triaged on HackerOne as report #3785370.
The issue was confirmed there and I was asked to open it here.

This issue has been fixed in version 2.19.9.
cvss_v3: 3.7
unaffected_versions:
- "< 2.9.0"
patched_versions:
- ">= 2.19.9"
Comment thread
jasnow marked this conversation as resolved.
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-54696
- https://rubygems.org/gems/json/versions/2.19.9
- https://github.com/ruby/json/releases/tag/v2.19.9
- https://github.com/ruby/json/blob/master/CHANGES.md#2026-06-11-2199
- https://hackerone.com/reports/3785370
- https://github.com/ruby/json/security/advisories/GHSA-x2f5-4prf-w687
notes: |
- Got 2.19.9 and date from nvd.nist.gov web site.