Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-475m-ph3x-64gp | Oj: Integer Overflow in Oj.load 2GB String Handling |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 01 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ohler
Ohler oj Ohler55 Ohler55 oj |
|
| Vendors & Products |
Ohler
Ohler oj Ohler55 Ohler55 oj |
Wed, 01 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2. | |
| Title | Oj: Integer Overflow in Oj.load 2GB String Handling | |
| Weaknesses | CWE-190 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-01T12:43:48.523Z
Reserved: 2026-06-16T13:49:33.555Z
Link: CVE-2026-54903
Updated: 2026-07-01T12:43:43.773Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T15:15:04Z
Weaknesses
Github GHSA