Ruby/json/2.19.0

This is a JSON implementation as a Ruby extension in C.

Repo Link: https://rubygems.org/gems/json
License: Ruby

2 Security Vulnerabilities

Ruby JSON has a format string injection vulnerability

Published date: 2026-03-19T12:45:53Z

CVE: CVE-2026-33210

Links:

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Affected versions: ["2.15.2", "2.15.1", "2.15.0", "2.14.1", "2.14.0", "2.17.1", "2.17.0", "2.16.0", "2.19.1", "2.19.0", "2.18.1", "2.18.0"]

Secure versions: [2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.13.2, 2.15.2.1, 2.17.1.2, 2.19.2, 2.19.3, 2.19.4, 2.19.5, 2.19.6, 2.19.7, 2.19.8, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.3.rc1, 2.7.4, 2.7.4.rc1, 2.7.4.rc2, 2.7.5, 2.7.6, 2.8.0, 2.8.0.alpha1, 2.8.1, 2.8.2, 2.9.0, 2.9.1]

Recommendation: Update to version 2.19.8.

Ruby JSON has a format string injection vulnerability

Published date: 2026-03-19

CVE: 2026-33210

Links:

https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Affected versions: ["2.14.1", "2.14.0", "2.15.0", "2.15.1", "2.15.2", "2.16.0", "2.17.0", "2.17.1", "2.18.0", "2.18.1", "2.19.0", "2.19.1"]

Secure versions: [2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.13.2, 2.15.2.1, 2.17.1.2, 2.19.2, 2.19.3, 2.19.4, 2.19.5, 2.19.6, 2.19.7, 2.19.8, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.3.rc1, 2.7.4, 2.7.4.rc1, 2.7.4.rc2, 2.7.5, 2.7.6, 2.8.0, 2.8.0.alpha1, 2.8.1, 2.8.2, 2.9.0, 2.9.1]

Recommendation: Update to version 2.19.8.

128 Other Versions

Version	License	Security	Released
1.4.3	UNKNOWN	4	2010-08-03 - 22:54	almost 16 years
1.4.2	UNKNOWN	4	2010-04-27 - 22:42	about 16 years
1.4.1	UNKNOWN	4	2010-04-25 - 13:47	about 16 years
1.4.0	UNKNOWN	4	2010-04-23 - 21:31	about 16 years
1.2.4	UNKNOWN	4	2010-04-08 - 07:52	about 16 years
1.2.3	UNKNOWN	4	2010-03-11 - 09:12	about 16 years
1.2.2	UNKNOWN	4	2010-02-28 - 17:17	over 16 years
1.2.1	UNKNOWN	4	2010-02-26 - 21:29	over 16 years
1.2.0	UNKNOWN	4	2009-11-08 - 04:16	over 16 years
1.1.9	UNKNOWN	4	2009-09-24 - 22:13	over 16 years
1.1.8	UNKNOWN	4	2009-09-24 - 22:13	over 16 years
1.1.7	UNKNOWN	4	2009-08-05 - 00:38	almost 17 years
1.1.6	UNKNOWN	4	2009-07-25 - 18:11	almost 17 years
1.1.5	UNKNOWN	4	2009-07-25 - 18:11	almost 17 years
1.1.4	UNKNOWN	4	2009-07-25 - 18:11	almost 17 years
1.1.3	UNKNOWN	4	2009-07-25 - 18:11	almost 17 years
1.1.2	UNKNOWN	4	2009-07-25 - 18:11	almost 17 years
1.1.1	UNKNOWN	4	2009-09-24 - 22:13	over 16 years
1.1.0	UNKNOWN	4	2009-09-24 - 22:13	over 16 years
1.0.4	UNKNOWN	5	2009-09-24 - 22:13	over 16 years
1.0.3	UNKNOWN	5	2009-09-24 - 22:13	over 16 years
1.0.2	UNKNOWN	5	2009-07-25 - 18:11	almost 17 years
1.0.1	UNKNOWN	5	2009-07-25 - 18:11	almost 17 years
1.0.0	UNKNOWN	5	2009-07-25 - 18:11	almost 17 years
0.4.3	UNKNOWN	5	2009-07-25 - 18:11	almost 17 years
0.4.2	UNKNOWN	5	2009-07-25 - 18:11	almost 17 years
0.4.1	UNKNOWN	5	2009-07-25 - 18:11	almost 17 years
0.4.0	UNKNOWN	5	2009-07-25 - 18:11	almost 17 years