CVE-2026-33210
published 2026-03-20CVE-2026-33210: Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can…
PriorityP350critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.84%
53.2th percentile
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-json | < ruby-json 2.19.2+dfsg-1 (forky) | ruby-json 2.19.2+dfsg-1 (forky) |
| joyent | json | >= 2.14.0 < 2.15.2.1 | 2.15.2.1 |
| joyent | json | >= 2.16.0 < 2.17.1.2 | 2.17.1.2 |
| joyent | json | >= 2.18.0 < 2.19.2 | 2.19.2 |
| ruby-lang | json | >= 2.14.0 < 2.15.2.1 | 2.15.2.1 |
| ruby-lang | json | >= 2.16.0 < 2.17.1.2 | 2.17.1.2 |
| ruby-lang | json | >= 2.18.0 < 2.19.2 | 2.19.2 |
| ruby | json | — | — |
| ruby | json | — | — |
| ruby | json | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.3HIGH
vendor_debian8.3LOW
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-33210: Ruby JSON is a JSON implementation for Ruby
osv·2026-03-20·CVSS 8.3
CVE-2026-33210 [HIGH] CVE-2026-33210: Ruby JSON is a JSON implementation for Ruby
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
GHSA
Ruby JSON has a format string injection vulnerability
ghsa·2026-03-19
CVE-2026-33210 [HIGH] CWE-134 Ruby JSON has a format string injection vulnerability
Ruby JSON has a format string injection vulnerability
### Impact
A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents.
This option isn't the default, if you didn't opt-in to use it, you are not impacted.
### Patches
Patched in `2.19.2`.
### Workarounds
The issue can be avoided by not using the `allow_duplicate_key: false` parsing option.
OSV
Ruby JSON has a format string injection vulnerability
osv·2026-03-19
CVE-2026-33210 [HIGH] Ruby JSON has a format string injection vulnerability
Ruby JSON has a format string injection vulnerability
### Impact
A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents.
This option isn't the default, if you didn't opt-in to use it, you are not impacted.
### Patches
Patched in `2.19.2`.
### Workarounds
The issue can be avoided by not using the `allow_duplicate_key: false` parsing option.
Red Hat
ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection
vendor_redhat·2026-03-20·CVSS 8.3
CVE-2026-33210 [HIGH] CWE-134 ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection
ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
A flaw was found in Ruby JSON. This vulnerability, a format string injection, allows a remote attacker to cause a denial of service (DoS) or disclose sensitive information. The flaw occurs when processing specially crafted user-supplied documents with the allow_duplicate_key: false parsing option enabled.
Mitigation
Debian
CVE-2026-33210: ruby-json - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versi...
vendor_debian·2026·CVSS 8.3
CVE-2026-33210 [HIGH] CVE-2026-33210: ruby-json - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versi...
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 2.19.2+dfsg-1)
sid: resolved (fixed in 2.19.2+dfsg-1)
trixie: resolved
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33210 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33210 [MEDIUM] CVE-2026-33210 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33210 :
Ruby vulnerability analysis and mitigation
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Source : NVD
## 8.3
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Ruby
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby:3.3:
Wiz
CVE-2025-10990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2025-10990 [MEDIUM] CVE-2025-10990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10990 :
Ruby Interpreter vulnerability analysis and mitigation
A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.
Source : NVD
## 7.5
Score
Published February 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Ruby Interpreter
Linux Ubuntu
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.8
Exploitation Probability (EPSS) 0.2
Affected packages and l
Bugzilla
CVE-2026-33210 ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection
bugzilla·2026-03-21·CVSS 8.3
CVE-2026-33210 [HIGH] CVE-2026-33210 ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection
CVE-2026-33210 ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3https://access.redhat.com/errata/RHSA-2026:20596https://access.redhat.com/errata/RHSA-2026:20606https://access.redhat.com/security/cve/CVE-2026-33210https://bugzilla.redhat.com/show_bug.cgi?id=2449871https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33210.json
2026-03-20
Published