Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-475m-ph3x-64gp | Oj: Integer Overflow in Oj.load 2GB String Handling |
Tue, 07 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-787 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Wed, 01 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ohler
Ohler oj Ohler55 Ohler55 oj |
|
| Vendors & Products |
Ohler
Ohler oj Ohler55 Ohler55 oj |
Wed, 01 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2. | |
| Title | Oj: Integer Overflow in Oj.load 2GB String Handling | |
| Weaknesses | CWE-190 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-01T12:43:48.523Z
Reserved: 2026-06-16T13:49:33.555Z
Link: CVE-2026-54903
Updated: 2026-07-01T12:43:43.773Z
No data.
OpenCVE Enrichment
Updated: 2026-07-01T15:15:04Z
Github GHSA