{
  "variant_id": "CVE-2026-54502-no-bypass",
  "created_at": "2026-07-02T00:00:00Z",
  "variant_summary": "No bypass found for the Oj :indent stack overflow. Alternate entry points (Oj::StringWriter, Oj::StreamWriter, Oj.default_options) trigger the same sink on the vulnerable version but are all covered by the upstream MAX_INDENT validation in parse_options_cb.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "ohler55/oj",
  "submitted_target": {
    "target_kind": "commit",
    "commit_sha": "4587e87e23adc9a4163834dc8c9ba9d7206c6501",
    "version": "3.17.1",
    "display": "ohler55/oj@4587e87 (v3.17.1, vulnerable)"
  },
  "variant_target": {
    "target_kind": "commit",
    "commit_sha": "b0677dccb6d3e3dc260d19e1f1c2c3913f378afc",
    "version": "3.17.2+",
    "display": "ohler55/oj@b0677dc (latest tested, fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "library_api",
  "validated_surface": "library_api",
  "required_entrypoint_kind": "function_call",
  "required_entrypoint_detail": "Oj.dump, Oj::StringWriter, Oj::StreamWriter, or Oj.default_options with indent=INT_MAX",
  "attacker_controlled_input": "indent: 2147483647",
  "trigger_path": "Oj.dump / Oj::StringWriter / Oj::StreamWriter / Oj.default_options -> oj_parse_options -> parse_options_cb -> fill_indent -> memset",
  "observed_impact_class": "memory_corruption",
  "exploitability_confidence": "none",
  "evidence_scope": "realistic_harness",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "fix_covers_all_entry_points",
  "blocking_mitigation": "MAX_INDENT validation in parse_options_cb (commit ec368db) rejects indent > 16 for every tested dump API",
  "file_path": "ext/oj/oj.c",
  "line_start": 768,
  "line_end": 774,
  "secondary_anchors": [
    {
      "file_path": "ext/oj/dump.h",
      "line_start": 73,
      "line_end": 80
    },
    {
      "file_path": "ext/oj/string_writer.c",
      "line_start": 276,
      "line_end": 284
    },
    {
      "file_path": "ext/oj/stream_writer.c",
      "line_start": 108,
      "line_end": 119
    }
  ],
  "review_scope_paths": [
    "ext/oj/oj.c",
    "ext/oj/dump.h",
    "ext/oj/string_writer.c",
    "ext/oj/stream_writer.c"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant_reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
