Cyber Resilience

CVE-2025-27788

High

Published: 12 March 2025

Published
12 March 2025
Modified
02 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0013 31.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27788 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Ruby-Lang Javascript Object Notation. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Deeper analysis

CVE-2025-27788 is an out-of-bounds read vulnerability (CWE-125) in the Ruby JSON library, a JSON implementation for Ruby. It affects versions starting from 2.10.0 up to but not including 2.10.2, where a specially crafted JSON document can trigger the issue, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), making it remotely exploitable over a network with low attack complexity, no required privileges or user interaction, and unchanged scope. Remote attackers can achieve denial of service by causing crashes in applications that parse untrusted JSON input using the affected library, with high impact on availability but no impact on confidentiality or integrity.

The vulnerability is addressed in Ruby JSON version 2.10.2, which includes the necessary fix. No known workarounds are available. Relevant resources include the security advisory at https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44, the fixing commit at https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf, and the release page at https://github.com/ruby/json/releases/tag/v2.10.2.

EU & UK References

Vulnerability details

JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable.…

more

Version 2.10.2 fixes the problem. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read in Ruby JSON parser exploitable remotely (AV:N/AC:L/PR:N/UI:N) causes application crash, enabling endpoint DoS via application exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2025-27219Same vendor: Ruby-Lang
CVE-2026-46727Same vendor: Ruby-Lang
CVE-2026-23388Shared CWE-125
CVE-2025-24265Shared CWE-125
CVE-2025-21717Shared CWE-125
CVE-2026-6918Shared CWE-125
CVE-2026-25942Shared CWE-125
CVE-2024-46670Shared CWE-125
CVE-2026-48132Shared CWE-125
CVE-2026-22023Shared CWE-125

Affected Assets

ruby-lang
javascript object notation
2.10.0 — 2.10.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws such as the out-of-bounds read in Ruby JSON versions 2.10.0 to <2.10.2 by applying the patch in version 2.10.2.

preventdetect

Ensures receipt and dissemination of security advisories like GHSA-9m3q-rhmv-5q44, enabling prompt awareness and patching of the vulnerable Ruby JSON library.

prevent

Validates untrusted JSON inputs prior to parsing to block specially crafted documents that trigger the out-of-bounds read vulnerability.

References