PyPI package
ujson
pkg:pypi/ujson
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44660 | Hig | 7.5 | < 5.12.1 | 5.12.1 | May 27, 2026 | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each fa | |
| CVE-2026-32875 | — | >= 5.1.0, < 5.12.0 | 5.12.0 | Mar 20, 2026 | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the | ||
| CVE-2026-32874 | — | >= 5.4.0, < 5.12.0 | 5.12.0 | Mar 20, 2026 | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form | ||
| CVE-2022-31116 | — | < 5.4.0 | 5.4.0 | Jul 5, 2022 | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. | ||
| CVE-2022-31117 | — | < 5.4.0 | 5.4.0 | Jul 5, 2022 | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, thi | ||
| CVE-2021-45958 | — | >= 1.34, < 5.2.0 | 5.2.0 | Dec 31, 2021 | UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation. |
- affected < 5.12.1fixed 5.12.1
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each fa
- CVE-2026-32875Mar 20, 2026affected >= 5.1.0, < 5.12.0fixed 5.12.0
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the
- CVE-2026-32874Mar 20, 2026affected >= 5.4.0, < 5.12.0fixed 5.12.0
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form
- CVE-2022-31116Jul 5, 2022affected < 5.4.0fixed 5.4.0
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly.
- CVE-2022-31117Jul 5, 2022affected < 5.4.0fixed 5.4.0
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, thi
- CVE-2021-45958Dec 31, 2021affected >= 1.34, < 5.2.0fixed 5.2.0
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.