VulnerableCode Package Details - pkg:gem/json@1.4.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-d6tn-s1q2-a3hc Aliases: CVE-2020-10663 GHSA-jphg-qwrw-7w9g	Unsafe object creation in json RubyGem The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.	2.3.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ebq1-gkhe-pua7 Aliases: CVE-2013-0269 GHSA-x457-cw4h-hq5f OSV-101137	Denial of Service and SQL Injection This package allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka.	1.5.5 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.6.8 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.7.7 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xghz-9k48-bqej Aliases: CVE-2026-33210 GHSA-3m6g-2423-7cp3	Ruby JSON has a format string injection vulnerability ### Impact A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents. This option isn't the default, if you didn't opt-in to use it, you are not impacted. ### Patches Patched in `2.19.2`. ### Workarounds The issue can be avoided by not using the `allow_duplicate_key: false` parsing option.	2.15.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.17.1.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.19.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-d6tn-s1q2-a3hc
Aliases:
CVE-2020-10663
GHSA-jphg-qwrw-7w9g

Unsafe object creation in json RubyGem The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

2.3.0
Affected by 1 other vulnerability.

VCID-ebq1-gkhe-pua7
Aliases:
CVE-2013-0269
GHSA-x457-cw4h-hq5f
OSV-101137

Denial of Service and SQL Injection This package allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka.

1.5.5
Affected by 3 other vulnerabilities.

1.6.8
Affected by 3 other vulnerabilities.

1.7.7
Affected by 3 other vulnerabilities.

VCID-xghz-9k48-bqej
Aliases:
CVE-2026-33210
GHSA-3m6g-2423-7cp3

Ruby JSON has a format string injection vulnerability ### Impact A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents. This option isn't the default, if you didn't opt-in to use it, you are not impacted. ### Patches Patched in `2.19.2`. ### Workarounds The issue can be avoided by not using the `allow_duplicate_key: false` parsing option.

2.15.2.1
Affected by 1 other vulnerability.

2.17.1.2
Affected by 1 other vulnerability.

2.19.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-11T22:14:15.280920+00:00	GitLab Importer	Affected by	VCID-d6tn-s1q2-a3hc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2020-10663.yml	38.3.0
2026-04-11T21:40:47.505011+00:00	GitLab Importer	Affected by	VCID-ebq1-gkhe-pua7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2013-0269.yml	38.3.0
2026-04-11T21:39:55.617525+00:00	Ruby Importer	Affected by	VCID-xghz-9k48-bqej	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml	38.3.0
2026-04-11T21:31:41.643471+00:00	Ruby Importer	Affected by	VCID-ebq1-gkhe-pua7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml	38.3.0
2026-04-02T22:26:36.331257+00:00	GitLab Importer	Affected by	VCID-d6tn-s1q2-a3hc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2020-10663.yml	38.1.0
2026-04-02T21:54:55.206565+00:00	GitLab Importer	Affected by	VCID-ebq1-gkhe-pua7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2013-0269.yml	38.1.0
2026-04-02T19:37:13.626842+00:00	Ruby Importer	Affected by	VCID-xghz-9k48-bqej	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml	38.1.0
2026-04-02T19:30:21.073743+00:00	Ruby Importer	Affected by	VCID-ebq1-gkhe-pua7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml	38.1.0
2026-04-01T16:44:31.831036+00:00	GitLab Importer	Affected by	VCID-d6tn-s1q2-a3hc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2020-10663.yml	38.0.0
2026-04-01T16:12:12.183080+00:00	GitLab Importer	Affected by	VCID-ebq1-gkhe-pua7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/json/CVE-2013-0269.yml	38.0.0
2026-04-01T15:55:04.808579+00:00	Ruby Importer	Affected by	VCID-xghz-9k48-bqej	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml	38.0.0
2026-04-01T15:47:05.578565+00:00	Ruby Importer	Affected by	VCID-ebq1-gkhe-pua7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml	38.0.0