## Ruby JSON Library Patches Critical Format String Injection Vulnerability (CVE-2026-33210)
A critical security vulnerability has been patched in the widely used Ruby `json` library. The flaw, tracked as CVE-2026-33210, is a format string injection vulnerability that could be exploited when using the `JSON.parse` method with the `allow_duplicate_key: false` option. This type of vulnerability can potentially allow an attacker to execute arbitrary code or cause a denial of service by manipulating specially crafted JSON input.

The patch was released in version 2.19.2 of the library. The update also includes a fix for a compiler-dependent garbage collection (GC) bug that was introduced in version 2.18.0, which was addressed in the preceding version 2.19.1. The vulnerability specifically affects the parsing logic, highlighting a subtle but dangerous edge case in how the library handles duplicate keys under a specific security flag.

This update is a mandatory security patch for any Ruby application or service that processes untrusted JSON data using the affected method. The vulnerability's assignment of a CVE identifier signals its recognized severity within the software supply chain. Developers and security teams must prioritize upgrading their dependencies to version 2.19.2 or later to mitigate the risk of exploitation. The fix underscores the ongoing need for rigorous dependency management and the latent risks present in foundational parsing libraries.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33210, Ruby, JSON, Security Vulnerability, Supply Chain
- **Credibility**: unverified
- **Published**: 2026-04-10 10:39:44
- **ID**: 58616
- **URL**: https://whisperx.ai/en/intel/58616