{"schema_version":"1.7.3","id":"GHSA-mpwp-4h2m-765c","published":"2026-01-16T19:21:54Z","modified":"2026-02-03T02:56:31.524961Z","summary":"Active Job - Object injection security vulnerability","details":"Active Job vulnerability: An Active Job bug allowed String arguments to be deserialized as if they were Global IDs, an object injection security vulnerability.","affected":[{"package":{"name":"activejob","ecosystem":"RubyGems","purl":"pkg:gem/activejob"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.2.0.beta2"}]}],"versions":["0","4.2.0.beta1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mpwp-4h2m-765c/GHSA-mpwp-4h2m-765c.json"}}],"references":[{"type":"WEB","url":"https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347"},{"type":"PACKAGE","url":"https://github.com/rails/rails"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/GHSA-mpwp-4h2m-765c.yml"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/OSVDB-112347.yml"}],"database_specific":{"cwe_ids":["CWE-74"],"github_reviewed":true,"github_reviewed_at":"2026-01-16T19:21:54Z","nvd_published_at":null,"severity":"MODERATE"},"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"}]}