CVE-2017-14064: Heap exposure vulnerability in generating JSON

There is a heap exposure vulnerability in JSON bundled by Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-14064.


The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malicious instance is passed, the result may include contents of heap.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Affected Versions

  • Ruby 2.2 series: 2.2.7 and earlier
  • Ruby 2.3 series: 2.3.4 and earlier
  • Ruby 2.4 series: 2.4.1 and earlier
  • prior to trunk revision 58323


The JSON library is also distributed as a gem. If you can’t upgrade Ruby itself, install JSON gem newer than version 2.0.4.


Thanks to ahmadsherif for reporting this issue.


  • Originally published at 2017-09-14 12:00:00 (UTC)