CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-134"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33210.json"
}

References

Affected packages

Git / github.com/ruby/json

Affected ranges

Type

GIT

Repo

https://github.com/ruby/json

Events

Introduced

55552cafe2c4d54658fddd7a8c6134a42b0200b5

Fixed

e26694b82e789e3cd26005a42c0883f1561f0d58

Introduced

5a12067f8878d94739d70e0085b91c88fd9e31d6

Fixed

e4a77e118b286840a6d25ba513f6e3e59d7752dc

Introduced

1cdd2122d537d93b32d554dd013f607148291ba4

Fixed

54f8a878aebee090476a53c851c943128894be62

Database specific

{
    "extracted_events": [
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.15.2.1"
        },
        {
            "introduced": "2.16.0"
        },
        {
            "fixed": "2.17.1.2"
        },
        {
            "introduced": "2.18.0"
        },
        {
            "fixed": "2.19.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v2.*

v2.14.0

v2.14.1

v2.15.0

v2.15.1

v2.15.2

v2.16.0

v2.17.0

v2.17.1

v2.18.0

v2.18.1

v2.19.0

v2.19.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33210.json"