CVE-2026-33210 (High) detected in json-2.15.1.gem

[mend-bolt-for-github]

CVE-2026-33210 - High Severity Vulnerability

Vulnerable Library - json-2.15.1.gem

This is a JSON implementation as a Ruby extension in C.

Library home page: https://rubygems.org/gems/json-2.15.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/json-2.15.1.gem

Dependency Hierarchy:

• googleauth-1.15.1.gem (Root Library)
  • faraday-2.14.0.gem
    • ❌ json-2.15.1.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Publish Date: 2026-03-20

URL: CVE-2026-33210

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3m6g-2423-7cp3

Release Date: 2026-03-19

Fix Resolution: json - 2.19.2,json - 2.17.1.2,json - 2.15.2.1

---

Step up your Open Source Security Game with Mend here