VYPR

Ultrajson

by Ultrajson

Source repositories

CVEs (6)

  • CVE-2026-44660HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each…

  • CVE-2026-54911Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary `ujson.dumps()` (or `ujson.dump()` or `ujson.encode()`) have a `reject_bytes=False` option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input…

  • CVE-2026-32875Mar 20, 2026
    risk 0.00cvss epss 0.00

    UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the…

  • CVE-2026-32874Mar 20, 2026
    risk 0.00cvss epss 0.00

    UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form…

  • CVE-2022-31116Jul 5, 2022
    risk 0.00cvss epss 0.02

    UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded…

  • CVE-2022-31117Jul 5, 2022
    risk 0.00cvss epss 0.01

    UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder,…

VYPR — Vulnerability Intelligence