CVE-2026-33210

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33210
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33210.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-33210
Aliases
Downstream
Related
Published
2026-03-20T22:57:08.758Z
Modified
2026-03-25T04:15:44.200127Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Ruby JSON has a format string injection vulnerability
Details

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33210.json",
    "cwe_ids": [
        "CWE-134"
    ]
}
References

Affected packages

Git / github.com/ruby/json

Affected ranges

Type
GIT
Repo
https://github.com/ruby/json
Events
Introduced
55552cafe2c4d54658fddd7a8c6134a42b0200b5
Fixed
e26694b82e789e3cd26005a42c0883f1561f0d58
Database specific 
{
    "versions": [
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.15.2.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/ruby/json
Events
Introduced
5a12067f8878d94739d70e0085b91c88fd9e31d6
Fixed
e4a77e118b286840a6d25ba513f6e3e59d7752dc
Database specific 
{
    "versions": [
        {
            "introduced": "2.16.0"
        },
        {
            "fixed": "2.17.1.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/ruby/json
Events
Introduced
1cdd2122d537d93b32d554dd013f607148291ba4
Fixed
54f8a878aebee090476a53c851c943128894be62
Database specific 
{
    "versions": [
        {
            "introduced": "2.18.0"
        },
        {
            "fixed": "2.19.2"
        }
    ]
}

Affected versions

v2.*
v2.14.0
v2.14.1
v2.15.0
v2.15.1
v2.15.2
v2.16.0
v2.17.0
v2.17.1
v2.17.1.2
v2.18.0
v2.18.1
v2.19.0
v2.19.1
v2.19.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33210.json"
vanir_signatures 
[
    {
        "source": "https://github.com/ruby/json/commit/e4a77e118b286840a6d25ba513f6e3e59d7752dc",
        "id": "CVE-2026-33210-2b8cb7c2",
        "digest": {
            "line_hashes": [
                "325914752244730123010757952303983800220",
                "331419183725943468675677814042739012087",
                "253283923119534484709484432495240283324",
                "145781200165913883439546753177501064829",
                "335225897630241288449678433421708100973",
                "209210543148511781411611219839651243273",
                "49146466343040687485360669931719770963",
                "193109083472163049769039659592704211782",
                "231670874234845402904974752348184600988",
                "17428574373514301400070518416011703343",
                "89329085122171587762643163044015700710",
                "144406455229724825260317396654407398385",
                "286270868943488358794954117833509021222",
                "284960879438046844791247333616651967777",
                "77567925069938153442914670740591959629",
                "52041882656837857942022444424232044994",
                "139353553598417968823045336288826630945",
                "301540770148339629159351878030492725277",
                "235234978437296550769047173979190856357",
                "338778744951644765620798657070856175364",
                "249277726739882260651674621519465505937",
                "312379034217437770743015542535757410159"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "ext/json/ext/parser/parser.c"
        }
    },
    {
        "source": "https://github.com/ruby/json/commit/e26694b82e789e3cd26005a42c0883f1561f0d58",
        "id": "CVE-2026-33210-3d2a247f",
        "digest": {
            "length": 208.0,
            "function_hash": "75925378336692977754435680015104310984"
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "ext/json/ext/parser/parser.c",
            "function": "raise_duplicate_key_error"
        }
    },
    {
        "source": "https://github.com/ruby/json/commit/e4a77e118b286840a6d25ba513f6e3e59d7752dc",
        "id": "CVE-2026-33210-679147a0",
        "digest": {
            "length": 1093.0,
            "function_hash": "51191807039051488109713112089669337077"
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "ext/json/ext/parser/parser.c",
            "function": "raise_parse_error"
        }
    },
    {
        "source": "https://github.com/ruby/json/commit/e26694b82e789e3cd26005a42c0883f1561f0d58",
        "id": "CVE-2026-33210-767b5ff3",
        "digest": {
            "length": 1093.0,
            "function_hash": "51191807039051488109713112089669337077"
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "ext/json/ext/parser/parser.c",
            "function": "raise_parse_error"
        }
    },
    {
        "source": "https://github.com/ruby/json/commit/e4a77e118b286840a6d25ba513f6e3e59d7752dc",
        "id": "CVE-2026-33210-aed27339",
        "digest": {
            "length": 208.0,
            "function_hash": "75925378336692977754435680015104310984"
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "ext/json/ext/parser/parser.c",
            "function": "raise_duplicate_key_error"
        }
    },
    {
        "source": "https://github.com/ruby/json/commit/e26694b82e789e3cd26005a42c0883f1561f0d58",
        "id": "CVE-2026-33210-db4fb71e",
        "digest": {
            "line_hashes": [
                "325914752244730123010757952303983800220",
                "331419183725943468675677814042739012087",
                "253283923119534484709484432495240283324",
                "145781200165913883439546753177501064829",
                "335225897630241288449678433421708100973",
                "209210543148511781411611219839651243273",
                "49146466343040687485360669931719770963",
                "193109083472163049769039659592704211782",
                "231670874234845402904974752348184600988",
                "17428574373514301400070518416011703343",
                "89329085122171587762643163044015700710",
                "144406455229724825260317396654407398385",
                "286270868943488358794954117833509021222",
                "284960879438046844791247333616651967777",
                "77567925069938153442914670740591959629",
                "52041882656837857942022444424232044994",
                "139353553598417968823045336288826630945",
                "301540770148339629159351878030492725277",
                "235234978437296550769047173979190856357",
                "338778744951644765620798657070856175364",
                "249277726739882260651674621519465505937",
                "312379034217437770743015542535757410159"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "ext/json/ext/parser/parser.c"
        }
    }
]