CVE-2026-33210 is a vulnerability in the Ruby JSON library, specifically in versions 2.14.0 through versions prior to 2.15.2.1, 2.17.1.2, and 2.19.2. The issue arises from improper handling of externally-controlled format strings when the allow_duplicate_key: false parsing option is enabled. This option is intended to prevent duplicate keys in JSON objects but introduces a format string injection risk due to unsafe string formatting operations internally. An attacker can craft malicious JSON input that triggers this vulnerability, potentially causing denial of service by crashing the parser or leaking sensitive information through unintended format string processing. The vulnerability does not require authentication or user interaction, and the attack vector is network-based, as it involves parsing attacker-controlled JSON data. The CVSS 4.0 vector indicates low attack complexity, no privileges required, and no user interaction needed, with high impact on availability and moderate impact on confidentiality. The vulnerability has been patched in Ruby JSON versions 2.15.2.1, 2.17.1.2, and 2.19.2. No public exploits are known at this time, but the severity and ease of exploitation make timely patching critical.

This vulnerability can significantly impact organizations that rely on Ruby JSON for parsing untrusted JSON data, especially when the allow_duplicate_key: false option is used. Successful exploitation can lead to denial of service, disrupting application availability and potentially causing downtime or degraded service. Information disclosure risks may expose sensitive data, undermining confidentiality. Since Ruby is widely used in web applications, APIs, and backend services, exploitation could affect a broad range of industries including finance, healthcare, e-commerce, and technology. The lack of authentication requirements and ease of exploitation increase the threat surface, enabling remote attackers to launch attacks without prior access. Organizations that do not promptly update their Ruby JSON libraries risk operational disruption and data breaches, which could lead to financial loss, reputational damage, and regulatory penalties.

Organizations should immediately identify all systems using the Ruby JSON library versions 2.14.0 up to but not including 2.15.2.1, 2.17.1.2, and 2.19.2, especially those utilizing the allow_duplicate_key: false parsing option. The primary mitigation is to upgrade to the patched Ruby JSON versions 2.15.2.1, 2.17.1.2, or 2.19.2 as appropriate. If immediate upgrading is not feasible, consider disabling the allow_duplicate_key: false option temporarily to avoid triggering the vulnerability, though this may reduce JSON parsing strictness. Implement input validation and sanitization to limit exposure to malicious JSON inputs. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious JSON payloads. Monitor application logs for crashes or unusual behavior indicative of exploitation attempts. Conduct security testing and code reviews focusing on JSON parsing components. Finally, maintain an inventory of Ruby dependencies and establish a patch management process to rapidly respond to future vulnerabilities.