CVE-2025-27788
Published: 12 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-27788 is an out-of-bounds read vulnerability (CWE-125) in the Ruby JSON library, a JSON implementation for Ruby. It affects versions starting from 2.10.0 up to but not including 2.10.2, where a specially crafted JSON document can trigger the issue, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), making it remotely exploitable over a network with low attack complexity, no required privileges or user interaction, and unchanged scope. Remote attackers can achieve denial of service by causing crashes in applications that parse untrusted JSON input using the affected library, with high impact on availability but no impact on confidentiality or integrity.
The vulnerability is addressed in Ruby JSON version 2.10.2, which includes the necessary fix. No known workarounds are available. Relevant resources include the security advisory at https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44, the fixing commit at https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf, and the release page at https://github.com/ruby/json/releases/tag/v2.10.2.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds read in Ruby JSON parser exploitable remotely (AV:N/AC:L/PR:N/UI:N) causes application crash, enabling endpoint DoS via application exploitation.