{"id":"CVE-2026-33210","summary":"Ruby JSON has a format string injection vulnerability","details":"Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.","aliases":["GHSA-3m6g-2423-7cp3"],"modified":"2026-04-12T20:14:10.009934Z","published":"2026-03-20T22:57:08.758Z","related":["CGA-g4ff-hqx9-2xp5"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33210.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-134"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33210.json"},{"type":"ADVISORY","url":"https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33210"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/json","events":[{"introduced":"55552cafe2c4d54658fddd7a8c6134a42b0200b5"},{"fixed":"e26694b82e789e3cd26005a42c0883f1561f0d58"}],"database_specific":{"versions":[{"introduced":"2.14.0"},{"fixed":"2.15.2.1"}]}},{"type":"GIT","repo":"https://github.com/ruby/json","events":[{"introduced":"5a12067f8878d94739d70e0085b91c88fd9e31d6"},{"fixed":"e4a77e118b286840a6d25ba513f6e3e59d7752dc"}],"database_specific":{"versions":[{"introduced":"2.16.0"},{"fixed":"2.17.1.2"}]}},{"type":"GIT","repo":"https://github.com/ruby/json","events":[{"introduced":"1cdd2122d537d93b32d554dd013f607148291ba4"},{"fixed":"54f8a878aebee090476a53c851c943128894be62"}],"database_specific":{"versions":[{"introduced":"2.18.0"},{"fixed":"2.19.2"}]}}],"versions":["v2.14.0","v2.14.1","v2.15.0","v2.15.1","v2.15.2","v2.16.0","v2.17.0","v2.17.1","v2.18.0","v2.18.1","v2.19.0","v2.19.1"],"database_specific":{"vanir_signatures":[{"id":"CVE-2026-33210-2b8cb7c2","source":"https://github.com/ruby/json/commit/e4a77e118b286840a6d25ba513f6e3e59d7752dc","digest":{"line_hashes":["325914752244730123010757952303983800220","331419183725943468675677814042739012087","253283923119534484709484432495240283324","145781200165913883439546753177501064829","335225897630241288449678433421708100973","209210543148511781411611219839651243273","49146466343040687485360669931719770963","193109083472163049769039659592704211782","231670874234845402904974752348184600988","17428574373514301400070518416011703343","89329085122171587762643163044015700710","144406455229724825260317396654407398385","286270868943488358794954117833509021222","284960879438046844791247333616651967777","77567925069938153442914670740591959629","52041882656837857942022444424232044994","139353553598417968823045336288826630945","301540770148339629159351878030492725277","235234978437296550769047173979190856357","338778744951644765620798657070856175364","249277726739882260651674621519465505937","312379034217437770743015542535757410159"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"ext/json/ext/parser/parser.c"},"deprecated":false},{"id":"CVE-2026-33210-3d2a247f","source":"https://github.com/ruby/json/commit/e26694b82e789e3cd26005a42c0883f1561f0d58","digest":{"length":208,"function_hash":"75925378336692977754435680015104310984"},"signature_version":"v1","signature_type":"Function","target":{"function":"raise_duplicate_key_error","file":"ext/json/ext/parser/parser.c"},"deprecated":false},{"id":"CVE-2026-33210-679147a0","source":"https://github.com/ruby/json/commit/e4a77e118b286840a6d25ba513f6e3e59d7752dc","digest":{"length":1093,"function_hash":"51191807039051488109713112089669337077"},"signature_version":"v1","signature_type":"Function","target":{"function":"raise_parse_error","file":"ext/json/ext/parser/parser.c"},"deprecated":false},{"id":"CVE-2026-33210-767b5ff3","source":"https://github.com/ruby/json/commit/e26694b82e789e3cd26005a42c0883f1561f0d58","digest":{"length":1093,"function_hash":"51191807039051488109713112089669337077"},"signature_version":"v1","signature_type":"Function","target":{"function":"raise_parse_error","file":"ext/json/ext/parser/parser.c"},"deprecated":false},{"id":"CVE-2026-33210-aed27339","source":"https://github.com/ruby/json/commit/e4a77e118b286840a6d25ba513f6e3e59d7752dc","digest":{"length":208,"function_hash":"75925378336692977754435680015104310984"},"signature_version":"v1","signature_type":"Function","target":{"function":"raise_duplicate_key_error","file":"ext/json/ext/parser/parser.c"},"deprecated":false},{"id":"CVE-2026-33210-db4fb71e","source":"https://github.com/ruby/json/commit/e26694b82e789e3cd26005a42c0883f1561f0d58","digest":{"line_hashes":["325914752244730123010757952303983800220","331419183725943468675677814042739012087","253283923119534484709484432495240283324","145781200165913883439546753177501064829","335225897630241288449678433421708100973","209210543148511781411611219839651243273","49146466343040687485360669931719770963","193109083472163049769039659592704211782","231670874234845402904974752348184600988","17428574373514301400070518416011703343","89329085122171587762643163044015700710","144406455229724825260317396654407398385","286270868943488358794954117833509021222","284960879438046844791247333616651967777","77567925069938153442914670740591959629","52041882656837857942022444424232044994","139353553598417968823045336288826630945","301540770148339629159351878030492725277","235234978437296550769047173979190856357","338778744951644765620798657070856175364","249277726739882260651674621519465505937","312379034217437770743015542535757410159"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"ext/json/ext/parser/parser.c"},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33210.json","vanir_signatures_modified":"2026-04-12T20:14:10Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N"}]}