CVE-2026-54592 in ohler55info

Summary

by MITRE • 07/01/2026

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doc#each_child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in ext/oj/fast.c, doc_each_child increments doc->where past the where_path[MAX_STACK = 100] array with no bounds check and never restores it (the doc->where-- is missing), so calling each_child recursively from inside the yield block drives doc->where beyond the array. On the next entry the function copies the path into the 800-byte stack-local buffer save_path[MAX_STACK] using wlen = doc->where - doc->where_path, so when the previous recursive call left doc->where past where_path[100] the wlen exceeds MAX_STACK and the memcpy overflows save_path on the C stack; because the Oj::Doc parser imposes no JSON nesting-depth limit (relying on a C-stack pressure check), deeply nested attacker input reaches this path. This issue has been fixed in version 3.17.3.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/01/2026

The Oj gem represents a high-performance JSON parser and object marshaller for Ruby applications, widely utilized in enterprise environments for efficient data processing. The vulnerability resides within the Oj::Doc#each_child method implementation in versions prior to 3.17.3, specifically targeting the stack buffer management during recursive processing of deeply nested JSON documents. This flaw constitutes a classic stack-based buffer overflow scenario that manifests as a denial-of-service condition.

The technical implementation details reveal a critical flaw in the ext/oj/fast.c source file where the doc_each_child function operates without proper bounds checking against the fixed-size where_path array. The function increments doc->where beyond the 100-element MAX_STACK limit without restoring the pointer value, creating a state inconsistency that allows subsequent recursive calls to progress past valid array boundaries. When the function subsequently calculates wlen = doc->where - doc->where_path, this computation produces an invalid offset that exceeds the MAX_STACK threshold, leading to a memcpy operation that overflows the 800-byte stack-local save_path buffer.

This vulnerability operates through a two-step chain where the initial recursive call establishes an invalid pointer state within the document parser's internal tracking mechanism. The absence of JSON nesting depth limits imposed by the Oj::Doc parser creates an exploitable condition where attacker-controlled deeply nested input can reach the vulnerable code path. The C stack-based memory management approach exacerbates the issue since the system relies on stack pressure checks rather than explicit bounds enforcement, making it susceptible to stack overflow conditions that terminate process execution.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise application availability in production environments where Oj is heavily utilized for JSON processing. Attackers can craft maliciously nested JSON payloads that trigger the buffer overflow during recursive iteration, causing immediate process termination and denial-of-service conditions. This represents a critical security concern for applications handling untrusted JSON input, particularly those implementing streaming or iterative parsing patterns.

Mitigation strategies should prioritize immediate upgrade to Oj version 3.17.3 or later, which implements proper bounds checking and stack pointer restoration mechanisms. Additional protective measures include implementing JSON nesting depth validation at application level, deploying input sanitization filters, and establishing monitoring for anomalous parsing behavior. Organizations should also consider implementing runtime protections such as stack canaries and address space layout randomization to reduce exploit reliability. The vulnerability aligns with CWE-121 Stack-based Buffer Overflow and maps to ATT&CK technique T1499.004 for denial-of-service attacks through resource exhaustion, emphasizing the need for comprehensive defensive measures across multiple security domains.

The root cause analysis demonstrates a fundamental design flaw in stack management that violates secure coding practices for buffer operations. The missing doc->where-- restoration statement creates an exploitable state transition where recursive function calls accumulate invalid pointer offsets beyond array boundaries. This architectural weakness highlights the importance of proper resource cleanup and bounds validation in memory-intensive operations, particularly when implementing recursive algorithms with dynamic input processing requirements.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!