CVE-2022-41875
- Source
- https://cve.org/CVERecord?id=CVE-2022-41875
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-41875.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-41875
- Aliases
-
- GHSA-cf87-4h6x-phh6
- Published
- 2022-11-23T00:00:00Z
- Modified
- 2025-11-28T04:55:51.836484Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Remote Code Execution in Optica
- Details
-
A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica. The vulnerability was patched in v. 0.10.2, where the call to the function
oj.loadwas changed tooj.safe_load. - Database specific
{ "cwe_ids": [ "CWE-502" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41875.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41875.json
- https://github.com/airbnb/optica/security/advisories/GHSA-cf87-4h6x-phh6
- https://github.com/ohler55/oj/blob/develop/pages/Security.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-41875
- https://www.rubydoc.info/gems/oj/3.0.2/Oj.safe_load
Affected packages
Git / github.com/airbnb/optica
Affected ranges
- Type
- GIT
- Repo
- https://github.com/airbnb/optica
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed