CVE-2026-33210
CriticalCVSS 9.1Exploitation Probability (EPSS)
Elevated risk53th percentile - higher than 53% of all known CVEs
Summary
A format string injection vulnerability in Ruby JSON (versions 2.14.0 through 2.15.2.1, 2.17.1.2, and 2.19.2) can lead to denial of service or information disclosure when the allow_duplicate_key: false parsing option is used on user-supplied documents. The issue is fixed in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Risk Assessment
An attacker could cause denial of service or leak sensitive system information, threatening the availability and confidentiality of applications using the vulnerable library.
Recommendation
Immediately update Ruby JSON to version 2.15.2.1, 2.17.1.2, or 2.19.2 (depending on your branch) and avoid using the allow_duplicate_key: false option on untrusted data.
Original NVD description (English source)
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

