## Ruby JSON Library Patches Critical Format String Injection Vulnerability (CVE-2026-33210)
A critical security vulnerability has been patched in the widely used Ruby JSON library, exposing applications to a format string injection attack. The flaw, tracked as CVE-2026-33210, was present in the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can potentially allow an attacker to execute arbitrary code or cause a denial of service by manipulating specially crafted JSON input.

The patch was released in version 2.19.2 of the `json` gem. The update also includes a fix for a compiler-dependent garbage collection bug introduced in version 2.18.0, which was addressed in the preceding 2.19.1 release. The vulnerability's assignment of a CVE identifier signals its severity and the formal recognition of the security risk it posed to countless Ruby and Ruby on Rails applications that depend on this core library for data serialization.

This update is a mandatory security patch for any project using the `json` gem. The presence of a CVE and the specific nature of the injection flaw will prompt immediate scrutiny from security teams and DevOps personnel. Organizations must prioritize upgrading from any version prior to 2.19.2 to mitigate the risk of exploitation. The fix highlights the persistent threat of injection attacks in foundational parsing libraries and the critical importance of maintaining dependency hygiene in the software supply chain.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33210, Ruby, Security Vulnerability, Supply Chain, Dependency
- **Credibility**: unverified
- **Published**: 2026-03-25 19:27:31
- **ID**: 33899
- **URL**: https://whisperx.ai/en/intel/33899