Ruby JSON Library Patches Critical Format String Injection Vulnerability (CVE-2026-33210)

A critical security vulnerability has been patched in the widely used Ruby `json` library, designated CVE-2026-33210. The flaw, a format string injection vulnerability, was present in the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can potentially allow an attacker to execute arbitrary code or cause a denial-of-service by manipulating specially crafted JSON input, posing a significant risk to countless Ruby applications that parse untrusted data.

The patch was released in version 2.19.2 of the `json` gem. The update follows two other recent releases: version 2.19.1, which fixed a compiler-dependent garbage collection bug introduced in version 2.18.0, and version 2.19.0, which corrected the behavior of the `allow_blank` parsing option. This rapid sequence of updates highlights underlying stability and security concerns within a core dependency for the Ruby ecosystem.

All Ruby developers and organizations must immediately upgrade their `json` gem dependency from version 2.18.0 to at least 2.19.2 to mitigate the CVE-2026-33210 risk. Failure to patch leaves applications vulnerable to exploitation through a common data parsing pathway. The incident underscores the persistent security maintenance burden on open-source dependencies and the critical need for automated dependency monitoring in software supply chains.