json Gem Format String Injection Vulnerability CVE-2026-33210 Patched in Blacklight-Cornell

A critical security vulnerability in the Ruby json gem has been addressed in the Blacklight-Cornell project, a widely deployed library discovery interface used by academic institutions. The flaw, tracked as CVE-2026-33210, constitutes a format string injection vulnerability present in the JSON.parse method when invoked with the allow_duplicate_key: false option. The vulnerability was remediated through an update from json gem version 2.18.1 to 2.19.2, which introduces the necessary input sanitization fix.

The Blacklight-Cornell project, a Cornell University-maintained fork of the Blacklight Rails engine for library-scale search and discovery, incorporated this patch as part of routine dependency maintenance. The json gem serves as a fundamental JSON parsing library for Ruby applications, meaning the vulnerability carries potential blast radius beyond any single deployment. Version 2.19.2 represents the corrected release, following minor patches in 2.19.1 that addressed a compiler-dependent garbage collection bug introduced in the 2.18.0 release series.

Security researchers note that format string injection vulnerabilities occur when untrusted user input is passed directly into format string parameters, potentially enabling information disclosure or code execution depending on context. While no active exploitation has been publicly documented, the severity rating and the patch's urgency suggest organizations running affected json gem versions should verify their dependency trees. The Blacklight platform remains a backbone for library information systems at dozens of research universities, making the exposure landscape for this vulnerability particularly sensitive given the academic and research data these systems typically handle.