oj
RubyGems11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting ojpage 1 of 1
- CVE-2026-54500MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object w…
- CVE-2026-54502MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in …
- CVE-2026-54592HIGHCVSS 7.5EG 7.5✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doc#each_child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts…
- CVE-2026-54896LOWCVSS 2.1EG 2.1✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent va…
- CVE-2026-54897LOWCVSS 2.1EG 2.1✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration …
- CVE-2026-54898LOWCVSS 2.1EG 2.1✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. T…
- CVE-2026-54899MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to fals…
- CVE-2026-54900MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in usual mode with create_id enabled, Oj::Parser#parse is vulnerable to heap corruption via a negative-size memcpy. When a…
- CVE-2026-54901MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not mark array_class and hash_class references during garbage collection, leading to Use-After-Fr…
- CVE-2026-54902MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (≥ 35 bytes) from garbage co…
- CVE-2026-54903MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.17.32026-06-19
vulnerable: 0.5 ... 3.9.2 (294 versions)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string …
Check whether oj is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for oj CVEs against the assets you own.
Start Free Scan →