Ruby JSON Library Patches Critical Format String Injection Vulnerability (CVE-2026-33210)

The Ruby JSON library has released a critical security patch for a format string injection vulnerability, tracked as CVE-2026-33210. The flaw is present in the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can potentially allow an attacker to execute arbitrary code or cause a denial-of-service by manipulating specially crafted JSON input, posing a significant risk to any Ruby application that parses untrusted JSON data.

The patch was issued in version 2.15.2.1 of the `json` gem. The update also includes a separate fix for a bug in `JSON::Coder` that could cause subsequent `#dump` calls to incorrectly raise a `JSON::NestingError` after encountering a circular reference. This release follows version 2.15.2, which contained the initial fix for the `JSON::Coder` issue. The vulnerability's assignment of a CVE identifier (CVE-2026-33210) underscores its severity and the need for immediate attention from the development community.

This security update is mandatory for all Ruby developers and DevOps teams. Applications relying on the standard `json` library to process user-supplied or external JSON data are directly exposed. Failure to upgrade leaves systems vulnerable to exploitation. The fix requires bumping the gem dependency from version 2.15.0 to at least 2.15.2.1. This incident highlights the persistent security maintenance burden within core language dependencies and the critical importance of monitoring upstream patches for seemingly routine library updates.