Indeed

>Taking an arbitrary String from a user and evaluating it is never a good idea from an unsecure source

In that case, how it is possible to implement JSON post on that for example?

The warnings, other than symbol GC in MRI <= 2.1, refer to using Oj in `object` mode: marshallings arbitrary Ruby object graphs to/from JSON. This is similar to pickle in python. This mode isn't what you would be using at the boundary of something like a http/json api.

That's pretty much the same as in case of Yaml, isn't it?

If you are referring to the Ruby YAML vulnerability, the problem is that the deserializer ends up calling methods on the deserialized object. This says it doesn't, it merely warns you against doing it yourself, or at least doing it carelessly.

Not so much. With YAML it's a feature baked into the syntax that you have to go to extra effort to avoid. With JSON, it's just a specific data schema you opt in to, so a non-aware decoder will just give you a Hash with some odd data in it.