Update dependency ujson to v5.12.0 [SECURITY]#65
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
Conversation
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==5.9.0→==5.12.0UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop
CVE-2026-32875 / GHSA-c8rr-9gxc-jprv
More information
Details
Summary
ujson.dumps()crashes the Python interpreter (segmentation fault) when the product of theindentparameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if theindentis a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.(Note: A negative indent to
ujsonmeans add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)Exploitability
To be vulnerable, a service must call
ujson.dump()/ujson.dumps()/ujson.encode()whilst giving untrusted users control over theindentparameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)A service may also be vulnerable to the infinite loop if it uses a fixed negative
indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.Example
Patches
ujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the
indentparameter.Workarounds
Users who don't wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below
2**31 / max_recursion_depth_as_limited_by_stack_size).References
The original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700
This issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
UltraJSON has a Memory Leak parsing large integers allows DoS
CVE-2026-32874 / GHSA-wgvc-ghv9-3pmm
More information
Details
Summary
ujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers.
Exploitability
Any service that calls
ujson.load()/ujson.loads()/ujson.decode()on untrusted inputs is affected and vulnerable to denial of service attacks.Details
The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than
sys.get_int_max_str_digits()digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.Fix
The leak is fixed in
ujson 5.12.0(4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.Credits
Discovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
ultrajson/ultrajson (ujson)
v5.12.0Compare Source
Added
Changed
Fixed
v5.11.0Compare Source
Added
Changed
src/layout (#664) @hugovkFixed
v5.10.0Compare Source
Added
Configuration
📅 Schedule: Branch creation - "" in timezone America/Toronto, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.