GHSA-FM7P-MPRW-WJM9

Vulnerability from github – Published: 2026-06-19 19:35 – Updated: 2026-06-19 19:35
VLAI
Summary
Oj: intern.c form_attr (uninitialized stack read)
Details

Summary

Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory.

Details

In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer b, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3():

static VALUE form_attr(const char *str, size_t len) {
    char buf[256];
    if (sizeof(buf) - 2 <= len) {        // long-key path (len >= 254)
        char *b = OJ_R_ALLOC_N(char, len + 2);
        // ... b is filled correctly ...
        id = rb_intern3(buf, len + 1, oj_utf8_encoding);   // BUG: reads `buf`
        OJ_R_FREE(b);
        return id;
    }
    // ...
}

rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf (CWE-125). The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents.

This is the same defect previously fixed in ext/oj/usual.c; intern.c held a duplicated copy of form_attr that was missed.

Proof of Concept

require 'oj'
key  = "A" * 300
json = %Q[{"^o":"Object","#{key}":1}]
Oj.load(json, mode: :object)

On affected versions this raises an EncodingError whose message contains ~1500 bytes of uninitialized stack memory (not the supplied "A"s). The leaked byte count varies between runs with the identical payload (e.g. 1491 vs 1516 bytes), confirming the content is uninitialized memory rather than fixed data.

Impact

Information disclosure of process stack memory to a caller that parses untrusted JSON with Oj.load(..., mode: :object). For keys >= 256 bytes it is also an out-of-bounds read (CWE-125).

Severity is bounded by several preconditions: it requires :object mode (which is already discouraged for untrusted input), the leaked bytes are uncontrolled (the attacker cannot choose what is disclosed), and the data only reaches an attacker if the application surfaces the resulting Symbol or EncodingError back to them. Scored CVSS 5.3 (Medium) on that basis.

Patches

Fixed in 3.17.3: form_attr() now passes b to rb_intern3 (a one-character change mirroring the earlier usual.c fix). Verified on the fixed build: the same payload returns cleanly with no leak across repeated runs.

Credit

Reported by Zac Wang (@7a6163).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "oj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:35:59Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`Oj.load` in `:object` mode reads uninitialized stack memory (and, for long\nkeys, reads out of bounds) when parsing a JSON object whose key is 254 bytes\nor longer. The interned bytes can surface to the caller, disclosing process\nstack memory.\n\n### Details\n\nIn `ext/oj/intern.c`, `form_attr()` handles the long-key path by allocating a\nheap buffer `b`, populating it with the attribute name, and then freeing it \u2014\nbut it passed the **uninitialized stack buffer `buf`** (not `b`) to\n`rb_intern3()`:\n\n```c\nstatic VALUE form_attr(const char *str, size_t len) {\n    char buf[256];\n    if (sizeof(buf) - 2 \u003c= len) {        // long-key path (len \u003e= 254)\n        char *b = OJ_R_ALLOC_N(char, len + 2);\n        // ... b is filled correctly ...\n        id = rb_intern3(buf, len + 1, oj_utf8_encoding);   // BUG: reads `buf`\n        OJ_R_FREE(b);\n        return id;\n    }\n    // ...\n}\n```\n\n`rb_intern3` therefore reads `len + 1` bytes of uninitialized stack memory.\nWhen the key length is \u003e= 256, it also reads out of bounds past the 256-byte\n`buf` (CWE-125). The resulting bytes are interned and can reach the caller via\nthe produced Symbol or via the `EncodingError` message raised on invalid\nUTF-8, leaking process stack contents.\n\nThis is the same defect previously fixed in `ext/oj/usual.c`; `intern.c` held\na duplicated copy of `form_attr` that was missed.\n\n### Proof of Concept\n\n```ruby\nrequire \u0027oj\u0027\nkey  = \"A\" * 300\njson = %Q[{\"^o\":\"Object\",\"#{key}\":1}]\nOj.load(json, mode: :object)\n```\n\nOn affected versions this raises an `EncodingError` whose message contains\n~1500 bytes of uninitialized stack memory (not the supplied \"A\"s). The leaked\nbyte count varies between runs with the identical payload (e.g. 1491 vs 1516\nbytes), confirming the content is uninitialized memory rather than fixed data.\n\n### Impact\n\nInformation disclosure of process stack memory to a caller that parses\nuntrusted JSON with `Oj.load(..., mode: :object)`. For keys \u003e= 256 bytes it is\nalso an out-of-bounds read (CWE-125).\n\nSeverity is bounded by several preconditions: it requires `:object` mode\n(which is already discouraged for untrusted input), the leaked bytes are\nuncontrolled (the attacker cannot choose what is disclosed), and the data only\nreaches an attacker if the application surfaces the resulting Symbol or\n`EncodingError` back to them. Scored CVSS 5.3 (Medium) on that basis.\n\n### Patches\n\nFixed in **3.17.3**: `form_attr()` now passes `b` to `rb_intern3` (a\none-character change mirroring the earlier `usual.c` fix). Verified on the\nfixed build: the same payload returns cleanly with no leak across repeated\nruns.\n\n### Credit\n\nReported by Zac Wang (@7a6163).",
  "id": "GHSA-fm7p-mprw-wjm9",
  "modified": "2026-06-19T19:35:59Z",
  "published": "2026-06-19T19:35:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ohler55/oj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Oj: intern.c form_attr (uninitialized stack read)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…