CVE-2026-54898 in ohler55info

Summary

by MITRE • 07/01/2026

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/01/2026

The Oj gem represents a high-performance JSON parser and object marshaller for Ruby applications, widely utilized in enterprise environments for efficient data serialization and deserialization operations. The vulnerability under discussion affects versions prior to 3.17.2 where the Oj::Parser#parse method exhibits a critical heap use-after-free condition that can be exploited through specific callback mechanisms. This flaw occurs within the C engine component of the gem, specifically when utilizing SAJ or SAJ2 callback parsing modes that allow developers to customize parsing behavior through event-driven callbacks.

The technical root cause stems from how the C engine manages memory references during JSON parsing operations. The parser maintains a raw const byte pointer that directly references the internal buffer of Ruby strings containing the JSON data. When parsing encounters callback events such as hash_start, these callbacks can modify the input string through methods like String#replace that may result in string buffer reallocation. This reallocation process causes Ruby to free the original memory buffer while the C parser continues to reference this now-invalidated memory location, creating a dangling pointer condition.

The operational impact of this vulnerability manifests when an attacker crafts malicious JSON input that triggers specific callback sequences during parsing. At line 607 in parser.c, the next character read from the input stream results in accessing freed memory, potentially leading to arbitrary code execution or system compromise. This use-after-free condition allows for memory corruption that can be leveraged to execute malicious payloads, making it particularly dangerous in server-side applications where untrusted JSON data is processed.

The vulnerability aligns with CWE-416, which describes the use of freed memory condition, and represents a classic heap corruption issue that can be exploited through memory management flaws in native code components. From an adversary perspective, this vulnerability maps to ATT&CK technique T1059.007 for command and scripting interpreter execution, as successful exploitation could lead to arbitrary code execution within the application context. The security implications extend beyond simple memory corruption since this flaw affects Ruby applications that process external JSON input, potentially compromising entire server infrastructures.

Organizations should immediately upgrade to Oj version 3.17.2 or later to address this vulnerability, as the fix properly handles string buffer reallocation scenarios during callback execution. Additionally, implementing input validation and sanitization measures can help reduce the attack surface while awaiting the deployment of patched versions. Security monitoring should focus on detecting unusual parsing patterns that might indicate exploitation attempts, particularly in applications that process JSON data from untrusted sources. The vulnerability highlights the importance of careful memory management in native extensions and demonstrates how seemingly benign callback mechanisms can create critical security weaknesses when combined with dynamic memory allocation patterns.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!