CVE-2026-33210

EUVD-2026-13875
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
ruby-langjson
2.14.0 ≤
𝑥
< 2.15.2.1
ruby-langjson
2.16.0 ≤
𝑥
< 2.17.1.2
ruby-langjson
2.18.0 ≤
𝑥
< 2.19.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-json
bookworm
2.6.3+dfsg-1
fixed
bullseye
2.3.0+dfsg-1
fixed
forky
2.19.2+dfsg-1
fixed
sid
2.19.2+dfsg-1
fixed
trixie
2.9.1+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-json
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3