{"id":"CVE-2020-10663","details":"The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.","aliases":["GHSA-jphg-qwrw-7w9g"],"modified":"2026-04-10T04:21:33.540188Z","published":"2020-04-28T21:15:11.667Z","related":["ALSA-2021:2587","ALSA-2021:2588","MGASA-2020-0186","SUSE-RU-2020:2072-1","SUSE-SU-2020:0995-1","SUSE-SU-2020:1570-1","SUSE-SU-2020:1901-1","openSUSE-SU-2020:0586-1","openSUSE-SU-2024:11310-1","openSUSE-SU-2024:11311-1","openSUSE-SU-2024:11335-1","openSUSE-SU-2024:11786-1","openSUSE-SU-2024:11829-1","openSUSE-SU-2024:12712-1","openSUSE-SU-2024:13160-1","openSUSE-SU-2024:13623-1","openSUSE-SU-2024:13719-1","openSUSE-SU-2025:14621-1","openSUSE-SU-2025:15118-1","openSUSE-SU-2025:15819-1","openSUSE-SU-2026:10351-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3Cissues.zookeeper.apache.org%3E"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4721"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2020/Dec/32"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210129-0003/"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT211931"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flori/json","events":[{"introduced":"0"},{"last_affected":"6550c427e1e9b1e5e4f1c85346f7e319c647a876"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.2.0"}]}}],"versions":["v1.1.8","v1.2.0","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4-java","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.6.7","v1.7.0","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.7","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10663.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}