GHSA-3m6g-2423-7cp3

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Database specific

{
    "cwe_ids": [
        "CWE-134"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T12:45:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

RubyGems / json

Package

Name: json
Purl: pkg:gem/json

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.18.0

Fixed

2.19.2

Affected versions

2.*

2.18.0

2.18.1

2.19.0

2.19.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3m6g-2423-7cp3/GHSA-3m6g-2423-7cp3.json"

RubyGems / json

Package

Name: json
Purl: pkg:gem/json

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.16.0

Fixed

2.17.1.2

Affected versions

2.*

2.16.0

2.17.0

2.17.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3m6g-2423-7cp3/GHSA-3m6g-2423-7cp3.json"

RubyGems / json

Package

Name: json
Purl: pkg:gem/json

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.14.0

Fixed

2.15.2.1

Affected versions

2.*

2.14.0

2.14.1

2.15.0

2.15.1

2.15.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3m6g-2423-7cp3/GHSA-3m6g-2423-7cp3.json"