Skip to content
Verified Oj Ruby gem stack buffer overflow via large :indent value
REPRO-2026-00209 oj · Ruby Buffer Overflow Jul 2, 2026 .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 18m 33s
Tool calls 184
Spend $1.67
Affected < 3.17.2 (per user); GitHub advisory lists affected < 3.17.2, patched 3.17.3
Fixed in 3.17.3
$ pruva-verify REPRO-2026-00209
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00209/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the (size_t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process. Fixed in version 3.17.2.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md0.7 KB
bundle/ticket.json1.1 KB
bundle/repro/validation_verdict.json0.6 KB
bundle/repro/runtime_manifest.json0.4 KB
bundle/logs/reproduction_steps.log3.9 KB
bundle/logs/vulnerable.log1.1 KB
bundle/logs/vulnerable.result0.0 KB
bundle/logs/fixed.log0.2 KB
bundle/logs/fixed.result0.0 KB
bundle/logs/vuln_variant_reproduction_steps.log10.2 KB
bundle/logs/vuln_dump.log1.2 KB
bundle/logs/vuln_dump.result0.0 KB
bundle/logs/fixed_dump.log0.3 KB
bundle/logs/fixed_dump.result0.0 KB
bundle/logs/latest_dump.log0.3 KB
bundle/logs/latest_dump.result0.0 KB
bundle/logs/vuln_string_writer.log1.2 KB
bundle/logs/vuln_string_writer.result0.0 KB
bundle/logs/fixed_string_writer.log0.3 KB
bundle/logs/fixed_string_writer.result0.0 KB
bundle/logs/latest_string_writer.log0.3 KB
bundle/logs/latest_string_writer.result0.0 KB
bundle/logs/vuln_stream_writer.log1.2 KB
bundle/logs/vuln_stream_writer.result0.0 KB
bundle/logs/fixed_stream_writer.log0.4 KB
bundle/logs/fixed_stream_writer.result0.0 KB
bundle/logs/latest_stream_writer.log0.4 KB
bundle/logs/latest_stream_writer.result0.0 KB
bundle/logs/vuln_default_options.log1.2 KB
bundle/logs/vuln_default_options.result0.0 KB
bundle/logs/fixed_default_options.log0.3 KB
bundle/logs/fixed_default_options.result0.0 KB
bundle/logs/latest_default_options.log0.3 KB
bundle/logs/latest_default_options.result0.0 KB
bundle/logs/vuln_negative_indent.log0.0 KB
bundle/logs/vuln_negative_indent.result0.0 KB
bundle/logs/fixed_negative_indent.log0.0 KB
bundle/logs/fixed_negative_indent.result0.0 KB
bundle/logs/latest_negative_indent.log0.0 KB
bundle/logs/latest_negative_indent.result0.0 KB
bundle/logs/vuln_bignum_indent.log0.3 KB
bundle/logs/vuln_bignum_indent.result0.0 KB
bundle/logs/fixed_bignum_indent.log0.3 KB
bundle/logs/fixed_bignum_indent.result0.0 KB
bundle/logs/latest_bignum_indent.log0.3 KB
bundle/logs/latest_bignum_indent.result0.0 KB
bundle/vuln_variant/patch_analysis.md7.9 KB
bundle/vuln_variant/validation_verdict.json0.8 KB
bundle/vuln_variant/variant_manifest.json2.7 KB
bundle/vuln_variant/source_identity.json0.7 KB
bundle/vuln_variant/runtime_manifest.json1.2 KB
bundle/vuln_variant/root_cause_equivalence.json1.6 KB
bundle/repro/reproduction_steps.sh8.6 KB
bundle/repro/rca_report.md6.7 KB
bundle/vuln_variant/reproduction_steps.sh7.9 KB
bundle/vuln_variant/rca_report.md9.8 KB