Ruby JSON Library Patches Critical Format String Injection Vulnerability (CVE-2026-33210)

A critical security vulnerability has been patched in the widely used Ruby JSON library, exposing applications to potential format string injection attacks. The flaw, tracked as CVE-2026-33210, was present in the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can allow an attacker to inject malicious format specifiers, potentially leading to memory corruption, information disclosure, or remote code execution, depending on the underlying system.

The patch was released in version 2.19.2 of the `json` gem, which was updated from version 2.18.1. The update also includes a fix for a compiler-dependent garbage collection bug introduced in version 2.18.0, which was addressed in the intermediate release 2.19.1. The vulnerability specifically affects the parsing logic, a core function for handling data interchange in countless Ruby and Ruby on Rails applications, APIs, and microservices.

This security fix is a mandatory update for any project relying on the `json` gem. The vulnerability's presence in a fundamental parsing option underscores the persistent security risks in foundational software libraries. Development teams must prioritize applying this patch to mitigate the risk of exploitation, which could compromise application integrity and data security. The assignment of a CVE identifier signals the severity and formal recognition of this threat by the security community.