GHSA-35w3-pjm6-wj95

Suggest an improvement
Source
https://github.com/advisories/GHSA-35w3-pjm6-wj95
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-35w3-pjm6-wj95/GHSA-35w3-pjm6-wj95.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-35w3-pjm6-wj95
Aliases
  • CVE-2026-54896
Downstream
Related
Published
2026-06-19T19:36:47Z
Modified
2026-06-26T19:59:20.886604418Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent
Details

Summary

Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/dump.h
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/dump.h, line 75–77:

static void fill_indent(Out out, int depth) {
    if (0 < out->opts->indent) {
        memset(out->buf + out->cur, ' ', (size_t)(out->opts->indent * depth));

When dumping an Exception object in :object mode, dump_obj_attrs calls fill_indent repeatedly for each attribute. The buffer is pre-allocated based on the serialized content but not the indentation overhead. With indent: 5000 the indent block for a nested object exceeds the remaining buffer space, producing a heap-buffer-overflow of size 5,000 at the end of the allocated region.

ASAN report:

==101656==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x527000022c5e
WRITE of size 5000 at 0x527000022c5e thread T0
    #0 memset
    #1 fill_indent       /ext/oj/dump.h:77
    #2 dump_obj_attrs    /ext/oj/dump_object.c:552
    #3 dump_obj          /ext/oj/dump_object.c:80
    #4 oj_dump_obj_val   /ext/oj/dump_object.c:708
    #5 oj_dump_obj_to_json_using_params  /ext/oj/dump.c:817
    #6 dump_body         /ext/oj/oj.c:1429
    #7 dump              /ext/oj/oj.c:1480
0x527000022c5e is located 0 bytes after 13150-byte region [0x52700001f900, 0x527000022c5e)

Reproduce

require "oj"
obj = Oj.load('{"^o":"RuntimeError"}', mode: :object)
Oj.dump(obj, mode: :object, indent: 5000)

Workarounds

This is at the discretion of the developer and not a public facing option so the workaround is the develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.

Database specific
{
    "cwe_ids": [
        "CWE-122"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2026-06-19T19:36:47Z",
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

RubyGems / oj

Package

Name
oj
Purl
pkg:gem/oj

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.17.3

Affected versions

0.*
0.5
0.5.1
0.5.2
0.6.0
0.7.0
0.8.0
0.9.0
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.3.0
1.3.2
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6a2
1.4.6
1.4.7
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.6
2.1.7
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.1
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.12.0
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.12.7
2.12.8
2.12.9
2.12.10
2.12.11
2.12.12
2.12.13
2.12.14
2.13.0
2.13.1
2.14.0
2.14.1
2.14.2
2.14.3
2.14.4
2.14.5
2.14.6
2.15.0
2.15.1
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.17.3
2.17.4
2.17.5
2.18.0
2.18.1
2.18.2
2.18.3
2.18.4
2.18.5
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.1.0
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.3.10
3.4.0
3.5.0
3.5.1
3.6.0
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.6.9
3.6.10
3.6.11
3.6.12
3.6.13
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.7.9
3.7.10
3.7.11
3.7.12
3.8.0
3.8.1
3.9.0
3.9.1
3.9.2
3.10.0
3.10.1
3.10.2
3.10.3
3.10.5
3.10.6
3.10.7
3.10.8
3.10.9
3.10.10
3.10.11
3.10.12
3.10.13
3.10.14
3.10.15
3.10.16
3.10.17
3.10.18
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.11.8
3.12.0
3.12.1
3.12.2
3.12.3
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.13.5
3.13.6
3.13.7
3.13.8
3.13.9
3.13.10
3.13.11
3.13.12
3.13.13
3.13.14
3.13.15
3.13.16
3.13.17
3.13.18
3.13.19
3.13.20
3.13.21
3.13.22
3.13.23
3.14.0
3.14.1
3.14.2
3.14.3
3.15.0
3.15.1
3.16.0
3.16.1
3.16.2
3.16.3
3.16.4
3.16.5
3.16.6
3.16.7
3.16.8
3.16.9
3.16.10
3.16.11
3.16.12
3.16.13
3.16.14
3.16.15
3.16.16
3.16.17
3.17.0
3.17.1

Database specific

last_known_affected_version_range
"< 3.17.2"
source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-35w3-pjm6-wj95/GHSA-35w3-pjm6-wj95.json"