VYPR
Get started
← All advisories
High severityGHSA Advisory· Published May 12, 2026· Updated May 12, 2026

UltraJSON has a Memory Leak in ujson.dump() on Write Failure

CVE-2026-44660

Description

Summary

When ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.

Code that uses ujson.dumps() rather than ujson.dump() or only JSON load/decode methods is unaffected.

Details

Vulnerability Location: - src/ujson/python/objToJSON.c:913 - objToJSONFile() function start - src/ujson/python/objToJSON.c:931 - Error return on write failure - src/ujson/python/objToJSON.c:942 - Early return without cleanup

Root Cause:

The objToJSONFile() function allocates a Python string object via ujson_dumps_internal(), calls the file's write() method, and returns early if write() raises an exception—but never calls Py_DECREF(string) on the early exit path.

PoC

import gc, tracemalloc, ujson

class BadFile:
    def write(self, s):
        raise RuntimeError("boom")

obj = {"x": "A" * 200000}

def run():
    try:
        ujson.dump(obj, BadFile())
    except RuntimeError:
        pass

run()
tracemalloc.start()
gc.collect()
base = tracemalloc.get_traced_memory()[0]

for i in range(5):
    run()
    gc.collect()
    cur = tracemalloc.get_traced_memory()[0]
    print(i, cur - base)

Impact

Any application that serializes data through ujson.dump() to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using ujson.dump() by repeatedly making requests then closing the connection mid response.

Remediation

The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to UltraJSON 5.12.1.

Workarounds

Replacing ujson.dump(obj, file) with file.write(ujson.dumps(obj)) is equivalent (contrary to popular misconception, there are no streaming benefits to using ujson.dump()) and will avoid the memory leak.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ujsonPyPI
< 5.12.15.12.1

Affected products

1

Patches

1
82af1d0ac01d

Fix failure cleanup paths in ujson.dump()

https://github.com/ultrajson/ultrajsonBrénainn WoodsendMay 3, 2026via ghsa
commit
2 files changed · +40 0
  • src/ujson/python/objToJSON.c+7 0 modified
    @@ -913,6 +913,11 @@ PyObject* objToJSONFile(PyObject* self, PyObject *args, PyObject *kwargs)
   }
 
   argtuple = PyTuple_Pack(1, data);
+  if (argtuple == NULL)
+  {
+    Py_XDECREF(write);
+    return NULL;
+  }
 
   string = objToJSON (self, argtuple, kwargs);
 
@@ -929,13 +934,15 @@ PyObject* objToJSONFile(PyObject* self, PyObject *args, PyObject *kwargs)
   if (argtuple == NULL)
   {
     Py_XDECREF(write);
+    Py_DECREF(string);
     return NULL;
   }
 
   write_result = PyObject_CallObject (write, argtuple);
   if (write_result == NULL)
   {
     Py_XDECREF(write);
+    Py_DECREF(string);
     Py_XDECREF(argtuple);
     return NULL;
   }
  • tests/test_ujson.py+33 0 modified
    @@ -11,6 +11,7 @@
 import string
 import subprocess
 import sys
+import types
 import uuid
 from collections import OrderedDict
 from pathlib import Path
@@ -428,6 +429,38 @@ def test_dump_to_file_like_object():
 def test_dump_file_args_error():
     with pytest.raises(TypeError):
         ujson.dump([], "")
+    with pytest.raises(TypeError):
+        ujson.dump([], "", "")
+
+
+def test_dump_non_callable_write():
+    file = types.SimpleNamespace(write="a")
+    with pytest.raises(TypeError):
+        ujson.dump([7] * 100, file)
+
+
+def test_failed_dump():
+    with pytest.raises(TypeError):
+        ujson.dump([[0] * 100, object()], io.StringIO())
+
+
+def test_failed_dump_bogus_file():
+    file = types.SimpleNamespace(write=lambda: None)
+    with pytest.raises(TypeError, match="0 positional arguments"):
+        ujson.dump([0] * 100, file)
+
+
+def test_failed_dump_failed_write():
+    file = types.SimpleNamespace(write=lambda x: 1 / 0)
+    with pytest.raises(ZeroDivisionError):
+        ujson.dump([0] * 100, file)
+
+
+def test_failed_dump_closed_file():
+    file = io.StringIO()
+    file.close()
+    with pytest.raises(ValueError, match="closed file"):
+        ujson.dump([0] * 100, file)
 
 
 def test_load_file():

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.