GHSA-WGVC-GHV9-3PMM

Vulnerability from github – Published: 2026-03-18 13:01 – Updated: 2026-03-20 21:19
VLAI?
Summary
UltraJSON has a Memory Leak parsing large integers allows DoS
Details

Summary

ujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers.

Exploitability

Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks.

Details

The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.

ujson.loads(str(2 ** 64 - 1))  # No leak
ujson.loads(str(2 ** 64))  # Leaks
ujson.loads(str(10 ** sys.get_int_max_str_digits()))  # Leaks and raises ValueError

Fix

The leak is fixed in ujson 5.12.0 (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.

Credits

Discovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.11.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "ujson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.4.0"
            },
            {
              "fixed": "5.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T13:01:15Z",
    "nvd_published_at": "2026-03-20T02:16:35Z",
    "severity": "HIGH"
  },
  "details": "#### Summary\n\nujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing _large_ (outside of the range [-2^63, 2^64 - 1]) integers.\n\n#### Exploitability\n\nAny service that calls `ujson.load()`/`ujson.loads()`/`ujson.decode()` on untrusted inputs is affected and vulnerable to denial of service attacks.\n\n#### Details\n\nThe leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than `sys.get_int_max_str_digits()` digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.\n\n```python\nujson.loads(str(2 ** 64 - 1))  # No leak\nujson.loads(str(2 ** 64))  # Leaks\nujson.loads(str(10 ** sys.get_int_max_str_digits()))  # Leaks and raises ValueError\n```\n\n#### Fix\n\nThe leak is fixed in `ujson 5.12.0` (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.\n\n#### Credits\n\nDiscovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)",
  "id": "GHSA-wgvc-ghv9-3pmm",
  "modified": "2026-03-20T21:19:48Z",
  "published": "2026-03-18T13:01:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32874"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ultrajson/ultrajson"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UltraJSON has a Memory Leak parsing large integers allows DoS "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.