## Ruby JSON Gem Patches Critical Format String Injection Vulnerability Under CVE-2026-33210
The maintainers of Ruby's json gem have released version 2.15.2.1, patching a format string injection vulnerability (CVE-2026-33210) that affected the JSON.parse method when called with the allow_duplicate_key: false option. The flaw allowed potentially malicious input to execute arbitrary format specifiers during parsing, creating a remote code execution risk in applications processing untrusted JSON data.

The vulnerability existed in all versions prior to 2.15.2.1. The patch addresses the specific code path where duplicate key detection could be exploited through carefully crafted input strings. Separately, version 2.15.2 addressed a depth counter issue in JSON::Coder#dump where circular references would permanently corrupt the nesting state, causing all subsequent dump operations to raise JSON::NestingError.

Applications relying on the json gem for parsing user-supplied or externally sourced JSON should prioritize updating to 2.15.2.1 immediately. The allow_duplicate_key: false option is commonly used in validation workflows where strict schema enforcement is required, meaning affected codebases may include security-sensitive parsing logic. Developers using JSON::Coder for serialization should also update to benefit from the corrected depth tracking behavior.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: ruby, json, security, CVE-2026-33210, format-string-injection
- **Credibility**: unverified
- **Published**: 2026-04-25 13:54:08
- **ID**: 77083
- **URL**: https://whisperx.ai/en/intel/77083