Skip to content
Verified Oj Ruby gem uninitialized stack memory leak via long JSON keys
REPRO-2026-00208 Jul 2, 2026 .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 20m 41s
Tool calls 153
Spend $2.43
$ pruva-verify REPRO-2026-00208
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00208/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, populating it with the attribute name, and then freeing it — but it passes the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. Fixed in version 3.17.3.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md1.0 KB
bundle/ticket.json1.4 KB
bundle/repro/probe.rb1.4 KB
bundle/repro/runtime_manifest.json0.7 KB
bundle/repro/validation_verdict.json0.9 KB
bundle/logs/reproduction_steps.log17.5 KB
bundle/logs/vuln_outcomes.txt1.0 KB
bundle/logs/vuln_msg_lengths.txt0.0 KB
bundle/logs/vuln_run1.bin1.3 KB
bundle/logs/vuln_run2.bin1.3 KB
bundle/logs/vuln_run3.bin1.3 KB
bundle/logs/vuln_run4.bin1.2 KB
bundle/logs/vuln_run5.bin1.4 KB
bundle/logs/vuln_run6.bin1.3 KB
bundle/logs/vuln_leak_count0.0 KB
bundle/logs/vuln_err_count0.0 KB
bundle/logs/vuln_correct_count0.0 KB
bundle/logs/fixed_outcomes.txt0.8 KB
bundle/logs/fixed_msg_lengths.txt0.0 KB
bundle/logs/fixed_run1.bin0.3 KB
bundle/logs/fixed_run2.bin0.3 KB
bundle/logs/fixed_run3.bin0.3 KB
bundle/logs/fixed_run4.bin0.3 KB
bundle/logs/fixed_run5.bin0.3 KB
bundle/logs/fixed_run6.bin0.3 KB
bundle/logs/fixed_leak_count0.0 KB
bundle/logs/fixed_err_count0.0 KB
bundle/logs/fixed_correct_count0.0 KB
bundle/logs/vuln_variant_repro.log13.6 KB
bundle/logs/vuln_variant_outcomes.txt9.7 KB
bundle/logs/fixed_variant_outcomes.txt9.2 KB
bundle/logs/vuln_variant/fixed_version.txt0.1 KB
bundle/vuln_variant/probe_variant.rb5.1 KB
bundle/vuln_variant/runtime_manifest.json0.8 KB
bundle/vuln_variant/patch_analysis.md6.3 KB
bundle/vuln_variant/variant_manifest.json4.0 KB
bundle/vuln_variant/validation_verdict.json3.7 KB
bundle/vuln_variant/source_identity.json1.5 KB
bundle/vuln_variant/root_cause_equivalence.json2.4 KB
bundle/repro/reproduction_steps.sh13.3 KB
bundle/repro/rca_report.md8.6 KB
bundle/vuln_variant/reproduction_steps.sh10.9 KB
bundle/vuln_variant/rca_report.md12.2 KB