{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/library-vulnerability/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oj gem (\u003c 3.17.2)"],"_cs_severities":["high"],"_cs_tags":["ruby","use-after-free","library-vulnerability","dos"],"_cs_type":"advisory","_cs_vendors":["Oj"],"content_html":"\u003cp\u003eA critical heap use-after-free vulnerability, identified as CVE-2026-54897, affects the \u003ccode\u003eOj::Doc\u003c/code\u003e iterators within the \u003ccode\u003eoj\u003c/code\u003e Ruby gem. Specifically, the \u003ccode\u003eeach_value\u003c/code\u003e, \u003ccode\u003eeach_child\u003c/code\u003e, and \u003ccode\u003eeach_leaf\u003c/code\u003e methods are vulnerable. The issue arises when a Ruby block, executed during the iteration process, makes a reentrant call to \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e on the document or one of its child nodes. This premature closing operation frees the associated heap memory while the underlying C iterator in \u003ccode\u003eext/oj/fast.c\u003c/code\u003e is still active. Upon returning from the Ruby block, the C code attempts to access memory that has already been deallocated, leading to a use-after-free condition. This vulnerability, present in all \u003ccode\u003eoj\u003c/code\u003e gem versions utilizing \u003ccode\u003eext/oj/fast.c\u003c/code\u003e (confirmed up to v3.17.1), can be triggered from pure Ruby code and results in application instability, crashes, or potential arbitrary code execution. Organizations running Ruby applications that parse JSON via the \u003ccode\u003eoj\u003c/code\u003e gem are at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA Ruby application integrates and uses the \u003ccode\u003eoj\u003c/code\u003e gem for JSON data processing.\u003c/li\u003e\n\u003cli\u003eThe application opens a JSON document for parsing using the \u003ccode\u003eOj::Doc.open\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe application initiates an iteration over the document's elements using a vulnerable iterator method such as \u003ccode\u003eeach_value\u003c/code\u003e, \u003ccode\u003eeach_child\u003c/code\u003e, or \u003ccode\u003eeach_leaf\u003c/code\u003e, providing a Ruby block for processing.\u003c/li\u003e\n\u003cli\u003eDuring the execution of the yielded Ruby block, a call is inadvertently made to \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e on the \u003ccode\u003eOj::Doc\u003c/code\u003e instance or one of its child nodes.\u003c/li\u003e\n\u003cli\u003eThis \u003ccode\u003eclose\u003c/code\u003e operation triggers the \u003ccode\u003eruby_sized_xfree\u003c/code\u003e function within the \u003ccode\u003eext/oj/fast.c\u003c/code\u003e source, leading to the premature deallocation of the underlying heap memory buffer associated with the \u003ccode\u003eOj::Doc\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eControl returns from the Ruby block to the original C iterator function in \u003ccode\u003eext/oj/fast.c\u003c/code\u003e (e.g., \u003ccode\u003edoc_each_child\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe C iterator attempts to access or dereference pointers (like \u003ccode\u003ecur-\u0026gt;next\u003c/code\u003e) that point to the heap memory region which was previously freed in step 5.\u003c/li\u003e\n\u003cli\u003eThis access to deallocated memory results in a use-after-free condition, manifesting as application crashes, segmentation faults, or unpredictable program behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-54897 is application instability and denial-of-service via crashing. Applications utilizing the vulnerable \u003ccode\u003eoj\u003c/code\u003e gem can be forced to terminate unexpectedly, leading to service disruption. Depending on the memory layout and the specific memory contents at the time of the use-after-free, this vulnerability could potentially be exploited for arbitrary code execution, though this has not been specifically detailed in the advisory. This could compromise the integrity and confidentiality of data processed by the Ruby application. Any Ruby application that handles untrusted JSON input and uses the vulnerable \u003ccode\u003eoj\u003c/code\u003e gem iterations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eoj\u003c/code\u003e gem to version 3.17.2 or later immediately to patch CVE-2026-54897.\u003c/li\u003e\n\u003cli\u003eReview application code for instances where \u003ccode\u003edoc.close\u003c/code\u003e or \u003ccode\u003ed.close\u003c/code\u003e might be called reentrantly within \u003ccode\u003eOj::Doc\u003c/code\u003e iterator blocks, as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects Ruby Process Access Violation (Windows)\u003c/code\u003e Sigma rule to monitor for unusual crashes in Ruby applications.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects Ruby Process Segmentation Fault (Linux)\u003c/code\u003e Sigma rule to monitor for crashes in Ruby applications on Linux systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:56:18Z","date_published":"2026-06-19T19:56:18Z","id":"https://feed.craftedsignal.io/briefs/2026-06-oj-use-after-free/","summary":"A heap use-after-free vulnerability (CVE-2026-54897) exists in `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) in the `oj` Ruby gem, allowing an attacker to cause application crashes or unpredictable behavior when a Ruby block yielded during iteration reentrantly calls `doc.close` or `d.close`.","title":"Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close","url":"https://feed.craftedsignal.io/briefs/2026-06-oj-use-after-free/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["undici \u003e= 7.23.0 \u003c 7.28.0","undici \u003e= 8.0.0 \u003c 8.2.0"],"_cs_severities":["high"],"_cs_tags":["library-vulnerability","cross-origin-request","data-leakage","nodejs"],"_cs_type":"advisory","_cs_vendors":["Node.js"],"content_html":"\u003cp\u003eThe \u003ccode\u003eundici\u003c/code\u003e Node.js HTTP/1.1 client library contains a high-severity vulnerability, identified as CVE-2026-6734, impacting its \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e component. This flaw, introduced in \u003ccode\u003eundici\u003c/code\u003e version 7.23.0 and affecting all versions up to 8.1.0, allows for cross-origin request routing. When an application uses \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e (either directly or via \u003ccode\u003esetGlobalDispatcher\u003c/code\u003e) and makes requests to multiple distinct origins, the library incorrectly reuses a single SOCKS5 connection pool without verifying that the pool's established origin matches the intended destination of subsequent requests. This misrouting can lead to sensitive data exposure, such as credentials, being sent to unintended destinations, and can cause HTTPS requests to be silently downgraded to HTTP, undermining security. This vulnerability is critical for applications that interact with various services through a shared SOCKS5 proxy agent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn application initializes and configures \u003ccode\u003eundici\u003c/code\u003e to use a \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e for outgoing network requests, either globally via \u003ccode\u003esetGlobalDispatcher\u003c/code\u003e or locally.\u003c/li\u003e\n\u003cli\u003eThe application makes its first request to an \u003ccode\u003eorigin_A\u003c/code\u003e (e.g., \u003ccode\u003emalicious-domain.com\u003c/code\u003e) through the configured \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eundici\u003c/code\u003e establishes a connection pool to \u003ccode\u003eorigin_A\u003c/code\u003e via the SOCKS5 proxy, associating this pool with the first requested origin.\u003c/li\u003e\n\u003cli\u003eSubsequently, the application attempts to make a request to a legitimate \u003ccode\u003eorigin_B\u003c/code\u003e (e.g., \u003ccode\u003esecure-service.com\u003c/code\u003e) using the \u003cem\u003esame\u003c/em\u003e \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, \u003ccode\u003eundici\u003c/code\u003e reuses the existing connection pool (which was established for \u003ccode\u003eorigin_A\u003c/code\u003e) for the request to \u003ccode\u003eorigin_B\u003c/code\u003e, without validating the target origin.\u003c/li\u003e\n\u003cli\u003eAs a result, sensitive request data, including credentials, intended for \u003ccode\u003eorigin_B\u003c/code\u003e is misdirected and sent to \u003ccode\u003eorigin_A\u003c/code\u003e through the established SOCKS5 proxy connection.\u003c/li\u003e\n\u003cli\u003eThe application may then receive and trust responses from \u003ccode\u003eorigin_A\u003c/code\u003e, mistakenly believing they originated from \u003ccode\u003eorigin_B\u003c/code\u003e, leading to data corruption or further compromise.\u003c/li\u003e\n\u003cli\u003eFurthermore, if \u003ccode\u003eorigin_A\u003c/code\u003e supports HTTP and the connection was established as such, HTTPS requests intended for \u003ccode\u003eorigin_B\u003c/code\u003e can be silently downgraded to HTTP, compromising encryption and integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is the unintended exposure of sensitive data and potential compromise of application integrity. Applications that utilize \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e and interact with multiple origins are at risk. Credentials and request bodies intended for one origin can be misdirected to another, allowing an attacker to intercept or manipulate data. This can lead to unauthorized access, data breaches, and service disruption. Additionally, the silent downgrade of HTTPS requests to HTTP strips away crucial transport layer security, making communications vulnerable to eavesdropping and tampering. There is no specific victim count or sector information available, but any Node.js application using vulnerable versions of \u003ccode\u003eundici\u003c/code\u003e in the described configuration is affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade \u003ccode\u003enpm/undici\u003c/code\u003e to version \u003ccode\u003ev7.28.0\u003c/code\u003e or \u003ccode\u003ev8.2.0\u003c/code\u003e or later to apply the official patches for CVE-2026-6734.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, implement the recommended workarounds by using a separate \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e instance per origin for \u003ccode\u003eundici\u003c/code\u003e or avoid using \u003ccode\u003eSocks5ProxyAgent\u003c/code\u003e with multiple origins.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect anomalous network traffic from \u003ccode\u003enode.exe\u003c/code\u003e processes that might indicate misrouted requests, specifically observing for connections to private IP ranges or unexpected HTTP traffic to external hosts.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive network connection logging for \u003ccode\u003enode.exe\u003c/code\u003e processes on all affected operating systems to improve visibility into potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T14:27:57Z","date_published":"2026-06-19T14:27:57Z","id":"https://feed.craftedsignal.io/briefs/2026-06-undici-socks5-proxy-vulnerability/","summary":"The undici library, when using `Socks5ProxyAgent`, is vulnerable to cross-origin request routing if a single connection pool is reused across different origins, potentially misdirecting requests and credentials, trusting responses from the wrong origin, and silently downgrading HTTPS requests to HTTP (CVE-2026-6734).","title":"undici Library Vulnerable to Cross-Origin Request Routing via SOCKS5 Proxy Reuse (CVE-2026-6734)","url":"https://feed.craftedsignal.io/briefs/2026-06-undici-socks5-proxy-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Library-Vulnerability","version":"https://jsonfeed.org/version/1.1"}