CVE-2022-32511
Critical · CVSS 9.8jmespath.rb — Unsafe deserialization via JSON.load instead of JSON.parse
- CVSS
- 9.8
- nvd
- EPSS
- 2.13%
- 80th pct
- KEV
- No
- Class
- oss containerizable
- NVD-CWE-noinfo
Description
jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.
Search profile — drives PoC discovery
Symbols JSON.loadJSON.parsejmespathjmespath.rbJMESPath
Keywords CVE-2022-32511jmespath.rbJMESPath RubyJSON.load unsafe deserializationjmespath ruby exploitjmespath 1.6.1JSON.load JSON.parse ruby
Versions: < 1.6.1
Candidate PoCs (1) — discovered, not yet vetted or ranked
- ARPSyndicate/cvemon★ 0trickest
Recall-favoring discovery (nomi-sec + trickest). Vetting + ranking is the Stage-4 scorer.
References
- https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
- https://github.com/jmespath/jmespath.rb/pull/55
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/
- https://stackoverflow.com/a/30050571/580231
- https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
- https://github.com/jmespath/jmespath.rb/pull/55
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/
- https://stackoverflow.com/a/30050571/580231
Status: enriched · ingested 2026-06-15T18:00:58.000Z · profiled 2026-06-16T18:19:23.017Z