Ruby JSON Library Patches Format String Injection Vulnerability in CVE-2026-33210

The Ruby JSON gem has released version 2.19.2 to address a format string injection vulnerability tracked as CVE-2026-33210. The security flaw exists within the `JSON.parse(doc, allow_duplicate_key: false)` function, potentially allowing attackers to manipulate format string handling when parsing untrusted JSON input with the duplicate key validation option enabled. This represents a significant security concern for applications that rely on this parsing behavior to validate data integrity.

The vulnerability affects the widely-used JSON parsing library that serves as core infrastructure in the Ruby ecosystem. Format string injection vulnerabilities can enable attackers to read memory contents, trigger application crashes, or potentially achieve arbitrary code execution depending on the exploitation context and application architecture. The security patch arrives alongside version 2.19.1, which resolved a separate compiler-dependent garbage collection bug introduced in version 2.18.0, and version 2.19.0's correction of the `allow_blank` parsing option behavior that previously permitted invalid types.

Organizations running Ruby applications that parse externally-sourced JSON input with the `allow_duplicate_key: false` configuration should treat this update with urgency. The JSON gem is embedded in countless applications, frameworks, and production systems across the Ruby ecosystem. Security teams should audit their codebases for usage of the affected parsing configuration and prioritize upgrades from versions 2.18.0 through 2.19.1. The disclosure highlights the ongoing security considerations when processing untrusted data structures through parsing libraries, even for well-established, core ecosystem components.