CVE-2026-33210 is a format string injection vulnerability classified under CWE-134, found in the Ruby JSON library versions 2.14.0 through versions prior to 2.15.2.1, 2.17.1.2, and 2.19.2. The vulnerability manifests when the JSON parser is invoked with the allow_duplicate_key: false option to parse user-supplied JSON documents. This option enforces uniqueness of keys but introduces a flaw where externally-controlled format strings can be injected and processed unsafely. An attacker can craft malicious JSON input that exploits this flaw, causing the Ruby JSON parser to interpret attacker-controlled data as format strings, leading to potential denial of service (e.g., application crashes) or information disclosure through unintended memory reads or logging outputs. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, with low attack complexity. The CVSS 4.0 vector indicates no privileges required, no user interaction, and a high impact on availability and moderate impact on confidentiality. The issue has been addressed in patched versions 2.15.2.1, 2.17.1.2, and 2.19.2 of the Ruby JSON library. No public exploits have been reported yet, but the high severity score and ease of exploitation make timely patching critical. This vulnerability affects any Ruby applications or services that parse JSON using the vulnerable library versions, especially those exposed to untrusted or external inputs.

The vulnerability poses a significant risk to organizations worldwide that use the Ruby JSON library in affected versions, particularly in web applications, APIs, and services that parse JSON data from untrusted sources. Exploitation can result in denial of service, causing application crashes or service outages, which impacts availability and can disrupt business operations. Additionally, information disclosure risks may expose sensitive data, potentially leading to further exploitation or data breaches. Since the vulnerability requires no authentication or user interaction and can be triggered remotely, attackers can exploit it at scale, increasing the threat surface. Organizations relying on Ruby for backend services, especially those in sectors like finance, healthcare, and e-commerce where JSON parsing is common, face heightened risks. The impact extends to software supply chains and development environments that incorporate vulnerable Ruby JSON versions, potentially affecting downstream applications. Failure to patch promptly could lead to exploitation in targeted attacks or automated scanning campaigns once public exploits emerge.

To mitigate CVE-2026-33210, organizations should immediately upgrade the Ruby JSON library to the patched versions 2.15.2.1, 2.17.1.2, or 2.19.2 depending on their Ruby environment. If upgrading is not immediately feasible, consider disabling or avoiding the use of the allow_duplicate_key: false parsing option when processing untrusted JSON input, as this triggers the vulnerability. Implement strict input validation and sanitization on JSON data sources to reduce the risk of malicious payloads reaching the parser. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with rules designed to detect and block suspicious JSON payloads containing format string patterns. Monitor application logs and network traffic for anomalies indicative of exploitation attempts, such as unexpected crashes or unusual format string patterns. Conduct code reviews and security testing focused on JSON parsing components to identify and remediate unsafe usage patterns. Finally, maintain an up-to-date inventory of Ruby dependencies and integrate automated vulnerability scanning into the CI/CD pipeline to detect vulnerable library versions proactively.