Over the weekend, it was discovered that the json_pure gem is subject to a DoS attack when parsing specially formed JSON objects. This vulnerability does not affect the json gem, which uses a C extension, or ActiveSupport::JSON, which is used in Rails.
By default, Merb uses the json gem, which is not vulnerable, but falls back to jsonpure if json is not available. As a result, if you have jsonpure but not json on your system, you may be vulnerable. Additionally, Ruby 1.9.1 (but not Ruby 1.9 trunk) ships with json_pure, which remains vulnerable.
The easiest way to immunize yourself from this problem, no matter what Ruby version you are on, is to upgrade to the latest version of jsonpure, which resolves the vulnerability. Additionally, Merb 1.0.12 has been released, which monkey-patches jsonpure to remove the vulnerability, but prints a warning encouraging you to upgrade to the latest. Merb 1.0.12 only adds this patch on top of 1.0.11, so it should be perfectly safe to upgrade.