Debian Ujson vulnerabilities

5 known vulnerabilities affecting debian/ujson.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-32874HIGHCVSS 7.52026
CVE-2026-32874 [HIGH] CVE-2026-32874: ujson - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for... UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the i
debian
CVE-2026-32875HIGHCVSS 7.52026
CVE-2026-32875 [HIGH] CVE-2026-32875: ujson - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for... UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It ca
debian
CVE-2022-31116HIGHCVSS 7.5fixed in ujson 5.4.0-1 (bookworm)2022
CVE-2022-31116 [HIGH] CVE-2022-31116: ujson - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for... UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwritin
debian
CVE-2022-31117MEDIUMCVSS 5.9fixed in ujson 5.4.0-1 (bookworm)2022
CVE-2022-31117 [MEDIUM] CVE-2022-31117: ujson - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for... UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in vers
debian
CVE-2021-45958MEDIUMCVSS 5.5fixed in ujson 5.2.0-1 (bookworm)2021
CVE-2021-45958 [MEDIUM] CVE-2021-45958: ujson - UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_... UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation. Scope: local bookworm: resolved (fixed in 5.2.0-1) bullseye: open forky: resolved (fixed in 5.2.0-1) sid: resolved (fixed in 5.2.0-1) trixie: resolved (fixed in 5.2.0-1)
debian