CVE-2026-33210

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions Ruby JSON versions 2.14.0 through 2.15.2 Ruby JSON versions 2.17.1 through 2.17.1.2 Ruby JSON versions 2.19.0 through 2.19.2

Description Ruby JSON is a JSON implementation for Ruby. A format string injection issue exists when the allow duplicate key: false parsing option is used to parse user-supplied documents. This can lead to denial of service attacks or information disclosure. The allow duplicate key: false option is not enabled by default, so users who have not specifically enabled it are not affected.

Recommendations Ruby JSON versions 2.14.0 through 2.15.2: Update to version 2.15.2.1 or later. Ruby JSON versions 2.17.1 through 2.17.1.2: Update to version 2.17.1.2 or later. Ruby JSON versions 2.19.0 through 2.19.2: Update to version 2.19.2 or later. Avoid using the allow duplicate key: false parsing option.

Exploit

Fix

DoS

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

ALSA-2026:20596

CLEANSTART-2026-CQ39708

CLEANSTART-2026-DV49899

CLEANSTART-2026-GE08280

CLEANSTART-2026-OQ84658

CLEANSTART-2026-RZ30606

CVE-2026-33210

GHSA-3M6G-2423-7CP3

Affected Products

Json

Ruby

CVE-2026-33210

Weakness Enumeration

Related Identifiers

Affected Products

References · 100