Library-Vulnerability - CraftedSignal Threat Feed

Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close

hello@craftedsignal.io — Fri, 19 Jun 2026 19:56:18 +0000

A critical heap use-after-free vulnerability, identified as CVE-2026-54897, affects the Oj::Doc iterators within the oj Ruby gem. Specifically, the each_value, each_child, and each_leaf methods are vulnerable. The issue arises when a Ruby block, executed during the iteration process, makes a reentrant call to doc.close or d.close on the document or one of its child nodes. This premature closing operation frees the associated heap memory while the underlying C iterator in ext/oj/fast.c is still active. Upon returning from the Ruby block, the C code attempts to access memory that has already been deallocated, leading to a use-after-free condition. This vulnerability, present in all oj gem versions utilizing ext/oj/fast.c (confirmed up to v3.17.1), can be triggered from pure Ruby code and results in application instability, crashes, or potential arbitrary code execution. Organizations running Ruby applications that parse JSON via the oj gem are at risk.

Attack Chain

A Ruby application integrates and uses the oj gem for JSON data processing.
The application opens a JSON document for parsing using the Oj::Doc.open method.
The application initiates an iteration over the document's elements using a vulnerable iterator method such as each_value, each_child, or each_leaf, providing a Ruby block for processing.
During the execution of the yielded Ruby block, a call is inadvertently made to doc.close or d.close on the Oj::Doc instance or one of its child nodes.
This close operation triggers the ruby_sized_xfree function within the ext/oj/fast.c source, leading to the premature deallocation of the underlying heap memory buffer associated with the Oj::Doc object.
Control returns from the Ruby block to the original C iterator function in ext/oj/fast.c (e.g., doc_each_child).
The C iterator attempts to access or dereference pointers (like cur->next) that point to the heap memory region which was previously freed in step 5.
This access to deallocated memory results in a use-after-free condition, manifesting as application crashes, segmentation faults, or unpredictable program behavior.

Impact

The primary impact of CVE-2026-54897 is application instability and denial-of-service via crashing. Applications utilizing the vulnerable oj gem can be forced to terminate unexpectedly, leading to service disruption. Depending on the memory layout and the specific memory contents at the time of the use-after-free, this vulnerability could potentially be exploited for arbitrary code execution, though this has not been specifically detailed in the advisory. This could compromise the integrity and confidentiality of data processed by the Ruby application. Any Ruby application that handles untrusted JSON input and uses the vulnerable oj gem iterations is at risk.

Recommendation

Upgrade the oj gem to version 3.17.2 or later immediately to patch CVE-2026-54897.
Review application code for instances where doc.close or d.close might be called reentrantly within Oj::Doc iterator blocks, as described in the overview.
Deploy the Detects Ruby Process Access Violation (Windows) Sigma rule to monitor for unusual crashes in Ruby applications.
Deploy the Detects Ruby Process Segmentation Fault (Linux) Sigma rule to monitor for crashes in Ruby applications on Linux systems.

undici Library Vulnerable to Cross-Origin Request Routing via SOCKS5 Proxy Reuse (CVE-2026-6734)

hello@craftedsignal.io — Fri, 19 Jun 2026 14:27:57 +0000

The undici Node.js HTTP/1.1 client library contains a high-severity vulnerability, identified as CVE-2026-6734, impacting its Socks5ProxyAgent component. This flaw, introduced in undici version 7.23.0 and affecting all versions up to 8.1.0, allows for cross-origin request routing. When an application uses Socks5ProxyAgent (either directly or via setGlobalDispatcher) and makes requests to multiple distinct origins, the library incorrectly reuses a single SOCKS5 connection pool without verifying that the pool's established origin matches the intended destination of subsequent requests. This misrouting can lead to sensitive data exposure, such as credentials, being sent to unintended destinations, and can cause HTTPS requests to be silently downgraded to HTTP, undermining security. This vulnerability is critical for applications that interact with various services through a shared SOCKS5 proxy agent.

Attack Chain

An application initializes and configures undici to use a Socks5ProxyAgent for outgoing network requests, either globally via setGlobalDispatcher or locally.
The application makes its first request to an origin_A (e.g., malicious-domain.com) through the configured Socks5ProxyAgent.
undici establishes a connection pool to origin_A via the SOCKS5 proxy, associating this pool with the first requested origin.
Subsequently, the application attempts to make a request to a legitimate origin_B (e.g., secure-service.com) using the same Socks5ProxyAgent instance.
Due to the vulnerability, undici reuses the existing connection pool (which was established for origin_A) for the request to origin_B, without validating the target origin.
As a result, sensitive request data, including credentials, intended for origin_B is misdirected and sent to origin_A through the established SOCKS5 proxy connection.
The application may then receive and trust responses from origin_A, mistakenly believing they originated from origin_B, leading to data corruption or further compromise.
Furthermore, if origin_A supports HTTP and the connection was established as such, HTTPS requests intended for origin_B can be silently downgraded to HTTP, compromising encryption and integrity.

Impact

The primary impact of this vulnerability is the unintended exposure of sensitive data and potential compromise of application integrity. Applications that utilize Socks5ProxyAgent and interact with multiple origins are at risk. Credentials and request bodies intended for one origin can be misdirected to another, allowing an attacker to intercept or manipulate data. This can lead to unauthorized access, data breaches, and service disruption. Additionally, the silent downgrade of HTTPS requests to HTTP strips away crucial transport layer security, making communications vulnerable to eavesdropping and tampering. There is no specific victim count or sector information available, but any Node.js application using vulnerable versions of undici in the described configuration is affected.

Recommendation

Immediately upgrade npm/undici to version v7.28.0 or v8.2.0 or later to apply the official patches for CVE-2026-6734.
If immediate upgrade is not possible, implement the recommended workarounds by using a separate Socks5ProxyAgent instance per origin for undici or avoid using Socks5ProxyAgent with multiple origins.
Deploy the provided Sigma rules to detect anomalous network traffic from node.exe processes that might indicate misrouted requests, specifically observing for connections to private IP ranges or unexpected HTTP traffic to external hosts.
Enable comprehensive network connection logging for node.exe processes on all affected operating systems to improve visibility into potential exploitation attempts.