AIKIDO-2026-10978
json is vulnerable to Race Condition (TOCTOU)
59
Medium Risk
This Affects:
jsonTL;DR
The native JSON.parse implementation reads the source string through a C pointer while Ruby-level hooks such as a custom decimal_class can still run during parsing. If that hook mutates the underlying String while parsing is in progress, parsed values and memory safety can diverge from the original document. The same release also tightens numeric exponent handling, caps generator depth at INT_MAX, and hardens out-of-range float edge cases. Before the patch, concurrent mutation during parse was possible when applications supplied hooks that alter the source buffer. The patch freezes or copies the source so it cannot change underneath the parser.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
json is vulnerable to Race Condition (TOCTOU) in versions 0.0.1 - 2.19.6.
How to fix this
Upgrade the json library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant