CVE-2026-33210
Published: 20 March 2026
Summary
CVE-2026-33210 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Ruby-Lang Json. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely patching of affected Ruby JSON library versions to eliminate the format string injection flaw.
Mitigates exploitation by validating and sanitizing user-supplied JSON inputs before parsing with the vulnerable allow_duplicate_key: false option.
Prevents information disclosure and denial-of-service from format string injection by implementing secure error handling that avoids unsafe formatting operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-accessible format string flaw in JSON parsing library directly enables T1190 for initial access against public apps; memory disclosure supports T1212 for credential access; and induced crashes/resource exhaustion map to T1499.004 application exploitation for DoS. No RCE or other impacts indicated.
NVD Description
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is…
more
used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Deeper analysisAI
CVE-2026-33210 is a format string injection vulnerability (CWE-134) in Ruby JSON, a JSON implementation for the Ruby programming language. It affects versions from 2.14.0 up to but not including 2.15.2.1, 2.17.1.2, and 2.19.2. The flaw arises when parsing user-supplied JSON documents with the allow_duplicate_key: false option enabled, potentially leading to denial of service or information disclosure. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality and availability.
Remote attackers require no privileges or user interaction to exploit this issue. By supplying specially crafted JSON input to applications using the vulnerable Ruby JSON versions with the specified parsing option, adversaries can inject format strings, resulting in either denial of service through crashes or resource exhaustion, or leakage of sensitive memory contents.
The issue has been patched in Ruby JSON versions 2.15.2.1, 2.17.1.2, and 2.19.2. Security practitioners should prioritize upgrading affected dependencies to these versions. Additional details are available in the GitHub security advisory at https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3.
Details
- CWE(s)