{"id":"CVE-2020-10663","details":"The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.","aliases":["GHSA-jphg-qwrw-7w9g"],"modified":"2026-05-30T12:00:07.988488261Z","published":"2020-04-28T21:15:11.667Z","related":["ALSA-2021:2587","ALSA-2021:2588","SUSE-RU-2020:2072-1","SUSE-SU-2020:0995-1","SUSE-SU-2020:1570-1","SUSE-SU-2020:1901-1","openSUSE-SU-2020:0586-1","openSUSE-SU-2024:11310-1","openSUSE-SU-2024:11311-1","openSUSE-SU-2024:11335-1","openSUSE-SU-2024:11786-1","openSUSE-SU-2024:11829-1","openSUSE-SU-2024:12712-1","openSUSE-SU-2024:13160-1","openSUSE-SU-2024:13623-1","openSUSE-SU-2024:13719-1","openSUSE-SU-2025:14621-1","openSUSE-SU-2025:15118-1","openSUSE-SU-2025:15819-1","openSUSE-SU-2026:10351-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_RANGE","vendor_product":"json_project:json","extracted_events":[{"last_affected":"2.2.0"}],"cpes":["cpe:2.3:a:json_project:json:*:*:*:*:*:ruby:*:*"]},{"source":"CPE_STRING","vendor_product":"apple:macos","extracted_events":[{"last_affected":"11.0.1"}],"cpes":["cpe:2.3:o:apple:macos:11.0.1:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"8.0"},{"last_affected":"10.0"}],"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"fedoraproject:fedora","extracted_events":[{"last_affected":"30"},{"last_affected":"31"}],"cpes":["cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"opensuse:leap","extracted_events":[{"last_affected":"15.1"}],"cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2020/Dec/32"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210129-0003/"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT211931"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4721"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/json","events":[{"introduced":"0"},{"fixed":"6550c427e1e9b1e5e4f1c85346f7e319c647a876"}],"database_specific":{"source":"DESCRIPTION","extracted_events":[{"introduced":"0"},{"fixed":"2.2.0"}]}}],"versions":["v2.1.0","v2.0.2","v2.0.1","v2.0.0","v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.7","v1.6.7","v1.5.4","v1.7.6","v1.7.5","v1.7.4","v1.7.3","v1.7.2","v1.7.1","v1.7.0","v1.6.5","v1.6.4","v1.6.3","v1.6.2","v1.6.1","v1.6.0","v1.5.3","v1.5.2","v1.5.1","v1.5.0","v1.4.4-java","v1.4.3","v1.4.2","v1.4.1","v1.4.0","v1.2.0","v1.1.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10663.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"d4bb726b713658f56e630b6cf817a0155b6f390e"},{"fixed":"7c94ba3401772ca28edfdcb2ef95aec05242394e"},{"introduced":"4e0a512972cdcbfcd5279f1a2a81ba342ed75b6e"},{"fixed":"1c39daae0f9e1c6d34b53c6a214489fe76eaf38b"},{"introduced":"c1af7b1e1d408f9796a5f46c9ed36bc5adea4aa2"},{"fixed":"37c2cd3fa47c709570e22ec4dac723ca211f423a"}],"database_specific":{"source":"DESCRIPTION","extracted_events":[{"introduced":"2.4"},{"fixed":"2.4.9"},{"introduced":"2.5"},{"fixed":"2.5.7"},{"introduced":"2.6"},{"fixed":"2.6.5"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10663.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}