Ultrajson Project Ultrajson vulnerabilities

CVE-2026-32874 [HIGH] CWE-401 CVE-2026-32874: UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versio UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective

CVE-2026-32875 [HIGH] CWE-190 CVE-2026-32875: UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versio UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds

CVE-2022-31116 [HIGH] CWE-670 CVE-2022-31116: UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affect UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and

CVE-2022-31117 [MEDIUM] CWE-415 CVE-2022-31117: UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In ver UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been

CVE-2021-45958 [MEDIUM] CWE-787 CVE-2021-45958: UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecke UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.