## Ruby JSON Library Exposes Format String Injection Vulnerability (CVE-2026-33210)
A critical format string injection vulnerability has been disclosed in the widely used Ruby `json` library, tracked as CVE-2026-33210. The flaw, which can lead to denial-of-service attacks or information disclosure, is triggered under a specific, non-default configuration. The vulnerability is present when the library's `allow_duplicate_key: false` parsing option is used to process untrusted, user-supplied JSON documents. This creates a direct path for attackers to manipulate the parsing logic, potentially crashing applications or leaking sensitive data from memory.

The security advisory from the Ruby JSON project confirms the vulnerability is patched in version `2.19.2`. The core risk is highly conditional: only applications that have explicitly opted into the `allow_duplicate_key: false` setting are exposed. For the vast majority of Ruby projects using the library's default settings, there is no immediate impact. The patch update, now being distributed via dependency managers like RenovateBot, represents a targeted but essential security fix for a subset of the ecosystem.

This incident underscores the persistent security risks hidden within common parsing libraries and configuration options. While the blast radius is limited, it serves as a sharp reminder for development teams to audit their dependency configurations, especially for non-default flags that handle external data. The immediate workaround is straightforward—avoid using the vulnerable parsing option until the patch is applied—but the broader implication is a reinforcement of software supply chain vigilance, where a single, obscure setting can become an attack vector.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33210, Ruby, Supply Chain Security, Vulnerability, Open Source
- **Credibility**: unverified
- **Published**: 2026-03-25 20:27:21
- **ID**: 33957
- **URL**: https://whisperx.ai/en/intel/33957