Search for packages
| purl | pkg:gem/json@2.14.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-xghz-9k48-bqej
Aliases: CVE-2026-33210 GHSA-3m6g-2423-7cp3 |
Ruby JSON has a format string injection vulnerability ### Impact A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents. This option isn't the default, if you didn't opt-in to use it, you are not impacted. ### Patches Patched in `2.19.2`. ### Workarounds The issue can be avoided by not using the `allow_duplicate_key: false` parsing option. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T17:41:47.911666+00:00 | Ruby Importer | Affected by | VCID-xghz-9k48-bqej | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml | 38.4.0 |
| 2026-04-11T21:39:56.110715+00:00 | Ruby Importer | Affected by | VCID-xghz-9k48-bqej | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml | 38.3.0 |
| 2026-04-02T19:37:13.803103+00:00 | Ruby Importer | Affected by | VCID-xghz-9k48-bqej | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml | 38.1.0 |
| 2026-04-02T17:01:15.511577+00:00 | GHSA Importer | Affected by | VCID-xghz-9k48-bqej | https://github.com/advisories/GHSA-3m6g-2423-7cp3 | 38.1.0 |
| 2026-04-01T15:18:23.242719+00:00 | Ruby Importer | Affected by | VCID-xghz-9k48-bqej | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml | 38.0.0 |