ujson
PyPI6 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting ujsonpage 1 of 1
- CVE-2021-45958MEDIUMCVSS 5.5EG 5.5✓ Fixed in 5.1.02022-01-01
vulnerable: 4.0.2, 4.1.0, 4.2.0, 4.3.0, 5.0.0
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
- CVE-2022-31116HIGHCVSS 7.5EG 7.5✓ Fixed in 5.4.02022-07-05
vulnerable: 1.15 ... 5.3.0 (31 versions)
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper…
- CVE-2022-31117MEDIUMCVSS 5.9EG 5.9✓ Fixed in 5.4.02022-07-05
vulnerable: 1.15 ... 5.3.0 (31 versions)
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how…
- CVE-2026-32874HIGHCVSS 7.5EG 7.5✓ Fixed in 5.12.02026-03-20
vulnerable: 5.10.0 ... 5.9.0 (8 versions)
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The le…
- CVE-2026-44660HIGHCVSS 7.5EG 7.5✓ Fixed in 5.12.12026-05-27
vulnerable: 1.15 ... 5.9.0 (40 versions)
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is…
- CVE-2026-54911MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.13.02026-06-19
vulnerable: 1.15 ... 5.9.0 (41 versions)
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or trunc…
Check whether ujson is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for ujson CVEs against the assets you own.
Start Free Scan →