CVE-2017-14064 in macOS
Summary
by MITRE
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2026
The vulnerability identified as CVE-2017-14064 represents a critical memory exposure flaw in Ruby's JSON generation functionality affecting versions through 2.2.7, 2.3.x up to 2.3.4, and 2.4.x up to 2.4.1. This issue stems from improper handling of string termination within the JSON generator extension, specifically in the ext/json/ext/generator/generator.c file where the strdup function is employed without proper bounds checking. The fundamental problem occurs when the strdup implementation encounters a null byte character within the input data, causing it to prematurely terminate string processing and return an incorrect string length. This discrepancy between the actual string content and the reported length creates a dangerous memory exposure scenario where arbitrary memory contents may be inadvertently included in JSON output. The vulnerability manifests during JSON.generate operations when processing input data containing null bytes, leading to potential information disclosure and memory corruption issues that could be exploited by attackers.
The technical root cause of this vulnerability aligns with CWE-126, which describes "Buffer Over-read" conditions where applications read data past the end of valid buffer boundaries. The flaw specifically involves improper string handling in the JSON generation extension where the strdup function fails to properly account for the actual string length versus the length reported by space_len variable. When a null byte is encountered within the input data, the strdup operation terminates prematurely, but the space_len variable retains its original value, creating a mismatch that allows memory beyond the intended string boundaries to be included in the generated JSON output. This memory exposure can potentially reveal sensitive information from adjacent memory locations, including cryptographic keys, session tokens, or other confidential data that may be stored in memory adjacent to the processed strings.
From an operational impact perspective, this vulnerability creates significant security risks for Ruby applications that process user input through JSON generation functions. Attackers can craft malicious input containing null bytes to trigger the memory over-read condition and extract arbitrary memory contents from the application's memory space. The vulnerability is particularly concerning in web applications where JSON generation is commonly used for API responses, data serialization, or communication protocols. The exposure of memory contents could lead to credential theft, session hijacking, or disclosure of sensitive application data, making this a high-severity issue that requires immediate attention. Additionally, the vulnerability may enable further exploitation techniques such as information leakage that could assist in bypassing security controls or facilitating more sophisticated attacks.
Organizations should implement immediate mitigations including upgrading to patched Ruby versions where this vulnerability has been resolved, typically Ruby 2.2.8, 2.3.5, or 2.4.2 and later releases. The fix involves correcting the string handling logic in the JSON generator extension to properly account for null bytes in input data and ensure that the reported string length matches the actual content length. Security teams should also consider implementing input validation and sanitization measures to prevent null byte injection attacks, while monitoring for any suspicious JSON generation activities that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1059.007 for "Command and Scripting Interpreter: Python" and T1566.001 for "Phishing: Spearphishing Attachment" as attackers may use this vulnerability to extract sensitive information from compromised systems, making it essential for security operations to prioritize this patching effort alongside other critical vulnerabilities.