CVE Catalog

CVE-2026-33210

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.84%

53th percentile - higher than 53% of all known CVEs

Summary

A format string injection vulnerability in Ruby JSON (versions 2.14.0 through 2.15.2.1, 2.17.1.2, and 2.19.2) can lead to denial of service or information disclosure when the allow_duplicate_key: false parsing option is used on user-supplied documents. The issue is fixed in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Risk Assessment

An attacker could cause denial of service or leak sensitive system information, threatening the availability and confidentiality of applications using the vulnerable library.

Recommendation

Immediately update Ruby JSON to version 2.15.2.1, 2.17.1.2, or 2.19.2 (depending on your branch) and avoid using the allow_duplicate_key: false option on untrusted data.

Original NVD description (English source)

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS