Ruby JSON Library Patches Critical Format String Injection Vulnerability (CVE-2026-33210)

A critical security vulnerability has been patched in the widely used Ruby `json` library, tracked as CVE-2026-33210. The flaw, a format string injection vulnerability, was present in the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can potentially allow an attacker to execute arbitrary code or cause a denial-of-service by manipulating specially crafted JSON input, posing a significant risk to countless Ruby applications that parse untrusted data.

The patch was released in version 2.19.2 of the `json` gem. The update also includes a fix for a compiler-dependent garbage collection (GC) bug that was introduced in version 2.18.0, which was addressed in the preceding 2.19.1 release. The vulnerability's assignment of a CVE identifier underscores its severity and the formal recognition of the security risk it presented to the ecosystem.

This mandatory update highlights the persistent security maintenance burden within foundational open-source dependencies. Developers and organizations relying on the Ruby `json` gem must immediately upgrade to version 2.19.2 or later to mitigate the exploit risk. Failure to patch leaves applications vulnerable to a well-defined attack vector, emphasizing the critical need for robust dependency management and prompt update cycles in software supply chains.