GHSA-3M6Q-JJ5J-38C9
Vulnerability from github – Published: 2026-06-19 19:36 – Updated: 2026-06-19 19:36Summary
Oj::Doc#each_child, when invoked recursively over a deeply nested JSON
document, overflows a fixed-size stack buffer and aborts the process. This is a
denial of service reachable from untrusted JSON.
Details
Two-step chain in ext/oj/fast.c:
-
doc_each_child(~line 1501) incrementsdoc->wherepast thewhere_path[MAX_STACK = 100]array with no bounds check, and never restores it (doc->where--is missing). Callingeach_childrecursively from inside the yield block therefore drivesdoc->wherebeyond the array. -
On the next entry (~line 1478) the function copies the path into a stack-local buffer:
c
Leaf save_path[MAX_STACK]; // 800-byte stack buffer
size_t wlen = doc->where - doc->where_path;
if (0 < wlen) {
memcpy(save_path, doc->where_path, sizeof(Leaf) * (wlen + 1));
}
When the previous recursive call left doc->where past where_path[100],
wlen exceeds MAX_STACK and the memcpy overflows save_path on the C
stack.
The Oj::Doc parser imposes no JSON nesting-depth limit (it relies on a
C-stack pressure check), so deeply nested attacker input reaches this path.
Proof of Concept
require 'oj'
depth = 200
payload = '[' * depth + '1' + ']' * depth
Oj::Doc.open(payload) do |doc|
r = lambda { doc.each_child { |_| r.call } }
r.call
end
Recursion depth <= 99 iterates normally; depth >= 101 aborts. lldb backtrace
on the affected build (ruby 3.3.8 / arm64-darwin24):
SIGABRT
#2 __abort
#3 __stack_chk_fail
#4 doc_each_child (oj.bundle, fast.c)
Impact
Reliable denial of service: any endpoint that calls
Oj::Doc.open(untrusted) { |d| d.each_child ... } recursively can be crashed
with a small deeply-nested payload. On builds with a stack protector (the
default, -fstack-protector-strong) the canary aborts the process before the
saved return address is used. The Step-1 heap OOB writes into struct _doc
fields do occur, but are masked in practice because the Step-2 stack overflow
crashes first; turning them into anything beyond a crash has not been
demonstrated.
Patches
Fixed in 3.17.3: doc_each_child now bounds-checks before incrementing
doc->where (raising Oj::DepthError) and restores doc->where after the
loop, matching the existing each_leaf pattern. Verified on the fixed build:
depth >= 101 raises a clean Oj::DepthError instead of aborting.
Credit
Reported by Zac Wang (@7a6163).
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "oj"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.17.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54592"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T19:36:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON\ndocument, overflows a fixed-size stack buffer and aborts the process. This is a\ndenial of service reachable from untrusted JSON.\n\n### Details\n\nTwo-step chain in `ext/oj/fast.c`:\n\n1. **`doc_each_child` (~line 1501)** increments `doc-\u003ewhere` past the\n `where_path[MAX_STACK = 100]` array with no bounds check, and never restores\n it (`doc-\u003ewhere--` is missing). Calling `each_child` recursively from inside\n the yield block therefore drives `doc-\u003ewhere` beyond the array.\n\n2. **On the next entry (~line 1478)** the function copies the path into a\n stack-local buffer:\n\n ```c\n Leaf save_path[MAX_STACK]; // 800-byte stack buffer\n size_t wlen = doc-\u003ewhere - doc-\u003ewhere_path;\n if (0 \u003c wlen) {\n memcpy(save_path, doc-\u003ewhere_path, sizeof(Leaf) * (wlen + 1));\n }\n ```\n\n When the previous recursive call left `doc-\u003ewhere` past `where_path[100]`,\n `wlen` exceeds `MAX_STACK` and the `memcpy` overflows `save_path` on the C\n stack.\n\nThe `Oj::Doc` parser imposes no JSON nesting-depth limit (it relies on a\nC-stack pressure check), so deeply nested attacker input reaches this path.\n\n### Proof of Concept\n\n```ruby\nrequire \u0027oj\u0027\ndepth = 200\npayload = \u0027[\u0027 * depth + \u00271\u0027 + \u0027]\u0027 * depth\nOj::Doc.open(payload) do |doc|\n r = lambda { doc.each_child { |_| r.call } }\n r.call\nend\n```\n\nRecursion depth \u003c= 99 iterates normally; depth \u003e= 101 aborts. lldb backtrace\non the affected build (`ruby 3.3.8 / arm64-darwin24`):\n\n```\nSIGABRT\n#2 __abort\n#3 __stack_chk_fail\n#4 doc_each_child (oj.bundle, fast.c)\n```\n\n### Impact\n\nReliable denial of service: any endpoint that calls\n`Oj::Doc.open(untrusted) { |d| d.each_child ... }` recursively can be crashed\nwith a small deeply-nested payload. On builds with a stack protector (the\ndefault, `-fstack-protector-strong`) the canary aborts the process before the\nsaved return address is used. The Step-1 heap OOB writes into `struct _doc`\nfields do occur, but are masked in practice because the Step-2 stack overflow\ncrashes first; turning them into anything beyond a crash has not been\ndemonstrated.\n\n### Patches\n\nFixed in **3.17.3**: `doc_each_child` now bounds-checks before incrementing\n`doc-\u003ewhere` (raising `Oj::DepthError`) and restores `doc-\u003ewhere` after the\nloop, matching the existing `each_leaf` pattern. Verified on the fixed build:\ndepth \u003e= 101 raises a clean `Oj::DepthError` instead of aborting.\n\n### Credit\n\nReported by Zac Wang (@7a6163).",
"id": "GHSA-3m6q-jj5j-38c9",
"modified": "2026-06-19T19:36:28Z",
"published": "2026-06-19T19:36:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9"
},
{
"type": "PACKAGE",
"url": "https://github.com/ohler55/oj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.