CVE-2025-27788 — Out-of-bounds Read in Javascript Object Notation

CWE-125 — Out-of-bounds Read7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Javascript Object Notation Joyent Json Ruby Json

Timeline

PublishedMar 12

Description

JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5ruby/json>= 2.10.0, < 2.10.2

▶RubyGemsjoyent/json2.10.0 — 2.10.2

▶NVDruby-lang/javascript_object_notation2.10.0 — 2.10.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Out-of-bounds Read in Ruby JSON Parser↗2025-03-12

▶

CVEList

Ruby JSON Parser has Out-of-bounds Read↗2025-03-12

▶

GHSA

Out-of-bounds Read in Ruby JSON Parser↗2025-03-12

▶

OSV

CVE-2025-27788: JSON is a JSON implementation for Ruby↗2025-03-12

▶

📋Vendor Advisories

Red Hat

json: Ruby JSON Parser has Out-of-bounds Read↗2025-03-12

▶

Debian

CVE-2025-27788: ruby-json - JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to ...↗2025

▶