CVE-2021-45958
Description
UltraJSON (ujson) through 5.1.0 contains a stack-based buffer overflow in Buffer_AppendIndentUnchecked, exploitable via large indentation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UltraJSON (ujson) through 5.1.0 contains a stack-based buffer overflow in Buffer_AppendIndentUnchecked, exploitable via large indentation.
Vulnerability
UltraJSON (ujson) through version 5.1.0 contains a stack-based buffer overflow in the Buffer_AppendIndentUnchecked function, which is called from the encode path when generating JSON output with indentation [1][2]. The overflow occurs because the buffer size calculation does not account for the extra space required by a large indent parameter, leading to a write beyond the allocated stack buffer [4].
Exploitation
An attacker can trigger the vulnerability by providing a large integer value for the indent parameter (e.g., via ujson.dumps(data, indent=<large_number>)) [2]. No authentication or user interaction is required if the application exposes this functionality to untrusted input. The attack vector is network-based with low complexity, and the attacker can cause a stack buffer overflow by sending a crafted request that results in excessive indentation [2].
Impact
Successful exploitation of the stack-based buffer overflow can lead to memory corruption, potentially allowing arbitrary code execution or denial of service [2]. The CVSS v3.1 base score is 9.8 (Critical), indicating high impact on confidentiality, integrity, and availability [2]. An attacker could gain full control of the affected process.
Mitigation
The vulnerability is fixed in UltraJSON version 5.2.0, released on April 5, 2022 [4]. Users should upgrade to 5.2.0 or later. The project is in maintenance-only mode, and users are encouraged to migrate to orjson for better performance and security [3]. No workaround exists other than avoiding the use of large indent values or not using ujson in untrusted contexts.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ujsonPyPI | >= 1.34, < 5.2.0 | 5.2.0 |
Affected products
7- UltraJSON/UltraJSONdescription
- ghsa-coords6 versionspkg:pypi/ujsonpkg:rpm/opensuse/python-ujson&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-ujson&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-ujson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/python-ujson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/python-ujson&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3
>= 1.34, < 5.2.0+ 5 more
- (no CPE)range: >= 1.34, < 5.2.0
- (no CPE)range: < 1.35-150100.3.8.1
- (no CPE)range: < 5.10.0-1.5
- (no CPE)range: < 1.35-150100.3.8.1
- (no CPE)range: < 1.35-150100.3.8.1
- (no CPE)range: < 1.35-150100.3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in Buffer_AppendIndentUnchecked allows a stack-based buffer overflow when encoding with large indentation."
Attack vector
An attacker can trigger the stack-based buffer overflow by providing input that causes UltraJSON's encoder to use a very large amount of indentation. The `Buffer_AppendIndentUnchecked` function writes past the end of the intended stack buffer because it does not validate the indentation size before copying. This can lead to memory corruption and potentially arbitrary code execution. The issue was originally discovered through an oss-fuzz test case [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in the `Buffer_AppendIndentUnchecked` function, called from the `encode` path in UltraJSON (ujson) through version 5.1.0. The function performs a stack-based buffer write without bounds checking when handling large indentation amounts.
What the fix does
The advisory [ref_id=2] notes that the fix commit `5525f8c9ef8bb879dadd0eb942d524827d1b0362` was initially attributed to the AFL++ fuzzer, not to UltraJSON itself, and the CVE was questioned as possibly being a false positive. No definitive patch in the UltraJSON repository is confirmed in the bundle; the issue remains unresolved as of version 5.1.0. The recommended remediation would be to add bounds checking to `Buffer_AppendIndentUnchecked` to prevent writing beyond the allocated stack buffer.
Preconditions
- inputThe attacker must supply input that causes ujson.encode to use a large indentation value.
- configThe application must call ujson.encode with attacker-controlled indentation or with data that triggers deep nesting producing large indentation.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- github.com/advisories/GHSA-fh56-85cw-5pq6ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CN7W3GOXALINKFUUE7ICQIC2EF5HNKUQ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O6JUWQTJLA2CMG4CJN7DCUVSOXLZIIXL/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULX35TSWLBBIMEH44MUORPXYYRZKEDC6/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-45958ghsaADVISORY
- bugs.chromium.org/p/oss-fuzz/issues/detailghsax_refsource_MISCWEB
- github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yamlghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/ujson/PYSEC-2022-25.yamlghsaWEB
- github.com/ultrajson/ultrajson/issues/501ghsax_refsource_MISCWEB
- github.com/ultrajson/ultrajson/issues/502ghsax_refsource_MISCWEB
- github.com/ultrajson/ultrajson/pull/504ghsax_refsource_CONFIRMWEB
- github.com/ultrajson/ultrajson/pull/519ghsaWEB
- lists.debian.org/debian-lts-announce/2022/02/msg00023.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CN7W3GOXALINKFUUE7ICQIC2EF5HNKUQghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O6JUWQTJLA2CMG4CJN7DCUVSOXLZIIXLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULX35TSWLBBIMEH44MUORPXYYRZKEDC6ghsaWEB
News mentions
0No linked articles in our index yet.