File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54696 (json): JSON generator heap buffer overflow when streaming
4+ to an IO'
5+ comments : false
6+ categories :
7+ - json
8+ advisory :
9+ gem : json
10+ cve : 2026-54696
11+ ghsa : x2f5-4prf-w687
12+ url : https://nvd.nist.gov/vuln/detail/CVE-2026-54696
13+ title : JSON generator heap buffer overflow when streaming to an IO
14+ date : 2026-06-30
15+ description : |-
16+ Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through
17+ 2.19.8 are vulnerable to heap buffer overflow when the JSON generator
18+ is provided with an oversized streamed object.
19+
20+ When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io)
21+ can write past the internal JSON generator buffer when a streamed
22+ object contains an attacker-controlled string near 16 KB. Exploitation
23+ would result in a reliable process crash/denial of service.
24+
25+ This was triaged on HackerOne as report #3785370.
26+ The issue was confirmed there and I was asked to open it here.
27+
28+ This issue has been fixed in version 2.19.9.
29+ cvss_v3 : 3.7
30+ unaffected_versions :
31+ - " < 2.9.0"
32+ patched_versions :
33+ - " >= 2.19.9"
34+ related :
35+ url :
36+ - https://nvd.nist.gov/vuln/detail/CVE-2026-54696
37+ - https://rubygems.org/gems/json/versions/2.19.9
38+ - https://github.com/ruby/json/releases/tag/v2.19.9
39+ - https://github.com/ruby/json/blob/master/CHANGES.md#2026-06-11-2199
40+ - https://hackerone.com/reports/3785370
41+ - https://github.com/ruby/json/security/advisories/GHSA-x2f5-4prf-w687
42+ notes : " - Got 2.19.9 and date from nvd.nist.gov web site.\n "
43+ ---
You can’t perform that action at this time.
0 commit comments