CVE-2026-33210 Overview
A format string injection vulnerability has been identified in Ruby JSON, the JSON implementation for Ruby. This vulnerability affects versions from 2.14.0 up to (but not including) versions 2.15.2.1, 2.17.1.2, and 2.19.2. When the allow_duplicate_key: false parsing option is used to parse user-supplied JSON documents, attackers can exploit this flaw to launch denial of service attacks or disclose sensitive information.
Critical Impact
This vulnerability enables attackers to cause service disruptions or extract sensitive information from applications parsing untrusted JSON input with duplicate key validation enabled.
Affected Products
- Ruby JSON versions >= 2.14.0 and < 2.15.2.1
- Ruby JSON versions >= 2.14.0 and < 2.17.1.2
- Ruby JSON versions >= 2.14.0 and < 2.19.2
Discovery Timeline
- 2026-03-20 - CVE-2026-33210 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33210
Vulnerability Analysis
This vulnerability is classified as CWE-134 (Use of Externally-Controlled Format String). Format string vulnerabilities occur when user-controlled input is improperly used as a format string argument in functions that support format specifiers. In Ruby JSON, when parsing JSON documents with the allow_duplicate_key: false option enabled, attacker-controlled data can be interpreted as format string specifiers rather than literal text.
The vulnerability can be exploited remotely without authentication. The attack requires network access and the presence of specific parsing configuration, making it conditionally exploitable but dangerous when conditions are met.
Root Cause
The root cause stems from improper handling of user-supplied JSON keys during the duplicate key validation process. When allow_duplicate_key: false is specified, the parser performs additional processing on key values that inadvertently passes user-controlled data through a format string function without proper sanitization. This allows specially crafted JSON keys containing format specifiers (such as %s, %x, %n) to be interpreted as formatting instructions rather than literal string content.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can craft malicious JSON documents containing format string specifiers in key names. When an application parses this document with duplicate key checking enabled, the format string specifiers are processed, potentially causing:
- Denial of Service: Format specifiers like %n or excessive width specifiers can crash the application or cause resource exhaustion
- Information Disclosure: Format specifiers like %x or %p can leak memory contents, potentially exposing sensitive data such as stack addresses or application secrets
The vulnerability mechanism involves crafted JSON keys with embedded format specifiers being passed to internal formatting functions. When an application uses JSON.parse(untrusted_input, allow_duplicate_key: false), malicious keys in the input can trigger the vulnerability. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-33210
Indicators of Compromise
- Application crashes or unexpected terminations when processing JSON input
- Error logs showing format string-related errors or memory access violations
- Unusual memory consumption patterns during JSON parsing operations
- Stack traces indicating crashes within JSON parsing routines
Detection Strategies
- Monitor application logs for parsing errors or unexpected exceptions from the JSON library
- Implement input validation to detect potential format string specifiers (%s, %x, %n, %p) in JSON keys before parsing
- Deploy runtime application self-protection (RASP) to detect format string exploitation attempts
- Review code for usage of allow_duplicate_key: false option with untrusted input sources
Monitoring Recommendations
- Enable verbose logging for JSON parsing operations to capture detailed error information
- Set up alerts for application crashes or restarts that correlate with JSON processing
- Monitor for unusual patterns in error rates or response times from services parsing JSON
- Implement anomaly detection for memory usage spikes during request processing
How to Mitigate CVE-2026-33210
Immediate Actions Required
- Upgrade Ruby JSON to patched versions 2.15.2.1, 2.17.1.2, or 2.19.2 immediately
- Audit applications to identify usage of allow_duplicate_key: false with untrusted input
- Consider temporarily removing or disabling allow_duplicate_key: false option until patches are applied
- Implement input sanitization to filter potential format string specifiers from JSON input
Patch Information
Security patches have been released in the following versions:
| Branch | Patched Version |
|---|---|
| 2.15.x | 2.15.2.1 |
| 2.17.x | 2.17.1.2 |
| 2.19.x | 2.19.2 |
Upgrade to the appropriate patched version based on your current Ruby JSON version. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Remove allow_duplicate_key: false option from JSON parsing calls handling untrusted input until patches can be applied
- Implement a pre-processing layer to validate and sanitize JSON keys before parsing
- Use application firewalls or input filtering to block requests containing potential format string patterns in JSON payloads
- Isolate JSON parsing operations in sandboxed environments to limit the impact of potential exploitation
# Upgrade Ruby JSON gem to patched version
gem update json
# Or specify version in Gemfile
# gem 'json', '>= 2.19.2'
# Verify installed version
gem list json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
