CVE-2020-10663

HIGH

JSON gem < 2.2.0 - Unsafe Object Creation via JSON Parsing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-10663. PoCs published by rails-lts.

AI-analyzed exploit summary This repository provides a monkey-patch for the `json` gem to mitigate CVE-2020-10663, a deserialization vulnerability that allows arbitrary object creation. The patch modifies `JSON.parse` to prevent unintended object unmarshalling when no options are explicitly provided.

Description

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Exploits (1)

nomisec WORKING POC 3 stars

by rails-lts · poc

https://github.com/rails-lts/json_cve_2020_10663

View Code ZIP pw:eip

This repository provides a monkey-patch for the `json` gem to mitigate CVE-2020-10663, a deserialization vulnerability that allows arbitrary object creation. The patch modifies `JSON.parse` to prevent unintended object unmarshalling when no options are explicitly provided.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Reliable

Target: json gem (versions 1.7.7 to 2.2.x)

No auth needed

Prerequisites: Target system using vulnerable `json` gem version · Ability to send crafted JSON input to the target

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (19)

Core 19

Core References

Vendor Advisory x_refsource_confirm

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00004.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QL6MJD2BO4IRJ5CJFNMCDYMQQFT24BJ/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NK2PBXWMFRUD7U7Q7LHV4KYLYID77RI4/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2020/dsa-4721

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3Cdev.zookeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3Cissues.zookeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3Cissues.zookeeper.apache.org%3E

Third Party Advisory x_refsource_confirm

https://support.apple.com/kb/HT211931

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2020/Dec/32

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3Cissues.zookeeper.apache.org%3E

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20210129-0003/

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3Cissues.zookeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3Cissues.zookeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3Cissues.zookeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3Cissues.zookeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3Cissues.zookeeper.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.0589

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-20

Status published

Products (8)

apple/macos 11.0.1

debian/debian_linux 8.0

debian/debian_linux 10.0

fedoraproject/fedora 30

fedoraproject/fedora 31

json_project/json < 2.2.0

opensuse/leap 15.1

rubygems/json 0 - 2.3.0RubyGems

Published Apr 28, 2020

Tracked Since Feb 18, 2026