VulnerableCode Package Details - pkg:gem/json@1.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-d6tn-s1q2-a3hc Aliases: CVE-2020-10663 GHSA-jphg-qwrw-7w9g	Unsafe object creation in json RubyGem The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.	2.3.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ebq1-gkhe-pua7 Aliases: CVE-2013-0269 GHSA-x457-cw4h-hq5f OSV-101137	Denial of Service and SQL Injection This package allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka.	1.5.5 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.6.8 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.7.7 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xghz-9k48-bqej Aliases: CVE-2026-33210 GHSA-3m6g-2423-7cp3	Ruby JSON has a format string injection vulnerability ### Impact A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents. This option isn't the default, if you didn't opt-in to use it, you are not impacted. ### Patches Patched in `2.19.2`. ### Workarounds The issue can be avoided by not using the `allow_duplicate_key: false` parsing option.	2.15.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.17.1.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.19.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-d6tn-s1q2-a3hc
Aliases:
CVE-2020-10663
GHSA-jphg-qwrw-7w9g

Unsafe object creation in json RubyGem The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

2.3.0
Affected by 1 other vulnerability.

VCID-ebq1-gkhe-pua7
Aliases:
CVE-2013-0269
GHSA-x457-cw4h-hq5f
OSV-101137

Denial of Service and SQL Injection This package allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka.

1.5.5
Affected by 3 other vulnerabilities.

1.6.8
Affected by 3 other vulnerabilities.

1.7.7
Affected by 3 other vulnerabilities.

VCID-xghz-9k48-bqej
Aliases:
CVE-2026-33210
GHSA-3m6g-2423-7cp3

Ruby JSON has a format string injection vulnerability ### Impact A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents. This option isn't the default, if you didn't opt-in to use it, you are not impacted. ### Patches Patched in `2.19.2`. ### Workarounds The issue can be avoided by not using the `allow_duplicate_key: false` parsing option.

2.15.2.1
Affected by 1 other vulnerability.

2.17.1.2
Affected by 1 other vulnerability.

2.19.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-cte2-nf4m-t7hm	Data Handling Stack Buffer Overflow This package contains an overflow condition that is triggered as user-supplied input is not properly validated when handling specially crafted data. This may allow a remote attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.	OSVDB-101157

Vulnerability

Summary

Aliases

VCID-cte2-nf4m-t7hm

Data Handling Stack Buffer Overflow This package contains an overflow condition that is triggered as user-supplied input is not properly validated when handling specially crafted data. This may allow a remote attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

OSVDB-101157

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T17:41:47.667375+00:00	Ruby Importer	Affected by	VCID-xghz-9k48-bqej	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml	38.4.0
2026-04-16T17:34:59.966758+00:00	Ruby Importer	Affected by	VCID-ebq1-gkhe-pua7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml	38.4.0
2026-04-11T22:14:15.216654+00:00	GitLab Importer	Affected by	VCID-d6tn-s1q2-a3hc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2020-10663.yml	38.3.0
2026-04-11T21:40:47.439363+00:00	GitLab Importer	Affected by	VCID-ebq1-gkhe-pua7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2013-0269.yml	38.3.0
2026-04-11T21:39:55.556471+00:00	Ruby Importer	Affected by	VCID-xghz-9k48-bqej	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml	38.3.0
2026-04-11T21:31:41.582466+00:00	Ruby Importer	Affected by	VCID-ebq1-gkhe-pua7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml	38.3.0
2026-04-02T22:26:36.270608+00:00	GitLab Importer	Affected by	VCID-d6tn-s1q2-a3hc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2020-10663.yml	38.1.0
2026-04-02T21:54:55.144651+00:00	GitLab Importer	Affected by	VCID-ebq1-gkhe-pua7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2013-0269.yml	38.1.0
2026-04-02T19:37:13.604241+00:00	Ruby Importer	Affected by	VCID-xghz-9k48-bqej	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml	38.1.0
2026-04-02T19:30:21.007266+00:00	Ruby Importer	Affected by	VCID-ebq1-gkhe-pua7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml	38.1.0
2026-04-01T16:44:31.765334+00:00	GitLab Importer	Affected by	VCID-d6tn-s1q2-a3hc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2020-10663.yml	38.0.0
2026-04-01T16:12:12.121455+00:00	GitLab Importer	Affected by	VCID-ebq1-gkhe-pua7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2013-0269.yml	38.0.0
2026-04-01T15:55:04.736710+00:00	Ruby Importer	Affected by	VCID-xghz-9k48-bqej	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml	38.0.0
2026-04-01T15:47:05.490230+00:00	Ruby Importer	Affected by	VCID-ebq1-gkhe-pua7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml	38.0.0
2026-04-01T12:46:45.432796+00:00	GitLab Importer	Fixing	VCID-cte2-nf4m-t7hm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/OSVDB-101157.yml	38.0.0