CVE-2026-54896: Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent

June 19, 2026

Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object’s attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory.

References

github.com/advisories/GHSA-35w3-pjm6-wj95
github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95
nvd.nist.gov/vuln/detail/CVE-2026-54896

Code Behaviors & Features

Detect and mitigate CVE-2026-54896 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →