CVE-2026-54500
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
In the Oj (Optimized JSON) library for Ruby, a vulnerability was found where uninitialized stack memory is read when parsing JSON keys of 254 bytes or longer in :object mode. The flaw occurs in form_attr() which passes a stack buffer instead of a properly allocated heap buffer to rb_intern3(), causing process stack memory disclosure. The issue is fixed in version 3.17.3.
Risk Assessment
An attacker can exploit this vulnerability to read fragments of process stack memory, potentially leaking sensitive data such as keys, passwords, or other information stored in the application's memory.
Recommendation
Immediately update the Oj library to version 3.17.3 or later. If an update is not possible, avoid using :object mode with Oj.load() for untrusted JSON data.
Original NVD description (English source)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, `b`, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. This issue has been fixed in version 3.17.3.

