CVE-2022-32511: JMESPath for Ruby using JSON.load instead of JSON.parse

June 6, 2022 (updated November 7, 2023)

jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.

References

github.com/advisories/GHSA-5c5f-7vfq-3732
github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
github.com/jmespath/jmespath.rb/pull/55
nvd.nist.gov/vuln/detail/CVE-2022-32511
stackoverflow.com/a/30050571/580231

Code Behaviors & Features

Detect and mitigate CVE-2022-32511 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →