CVE Catalog

CVE-2026-54592

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

18th percentile — higher than 18% of all known CVEs

Summary

A denial-of-service (DoS) vulnerability was found in the Oj (Optimized JSON) library for Ruby. The Oj::Doc#each_child function, when recursively processing a deeply nested JSON document, overflows a fixed-size stack buffer, causing a process crash. The issue has been fixed in version 3.17.3.

Risk Assessment

An attacker can send a specially crafted, deeply nested JSON document that crashes the application using the vulnerable library, leading to service unavailability.

Recommendation

Immediately update the Oj library to version 3.17.3 or later. If an update is not possible, restrict the processing of untrusted JSON data by the vulnerable library version.

Original NVD description (English source)

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doc#each_child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in ext/oj/fast.c, doc_each_child increments doc->where past the where_path[MAX_STACK = 100] array with no bounds check and never restores it (the doc->where-- is missing), so calling each_child recursively from inside the yield block drives doc->where beyond the array. On the next entry the function copies the path into the 800-byte stack-local buffer save_path[MAX_STACK] using wlen = doc->where - doc->where_path, so when the previous recursive call left doc->where past where_path[100] the wlen exceeds MAX_STACK and the memcpy overflows save_path on the C stack; because the Oj::Doc parser imposes no JSON nesting-depth limit (relying on a C-stack pressure check), deeply nested attacker input reaches this path. This issue has been fixed in version 3.17.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS