Source: ujson Version: 5.11.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: forwarded -1 https://github.com/ultrajson/ultrajson/issues/700 Control: found -1 5.10.0-1 Control: found -1 5.7.0-1
Hi, The following vulnerability was published for ujson. CVE-2026-32875[0]: | UltraJSON is a fast JSON encoder and decoder written in pure C with | bindings for Python 3.7+. Versions 5.10 through 5.11.0 are | vulnerable to buffer overflow or infinite loop through large indent | handling. ujson.dumps() crashes the Python interpreter (segmentation | fault) when the product of the indent parameter and the nested depth | of the input exceeds INT32_MAX. It can also get stuck in an infinite | loop if the indent is a large negative number. Both are caused by an | integer overflow/underflow whilst calculating how much memory to | reserve for indentation. And both can be used to achieve denial of | service. To be vulnerable, a service must call | ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted | users control over the indent parameter and not restrict that | indentation to reasonably small non-negative values. A service may | also be vulnerable to the infinite loop if it uses a fixed negative | indent. An underflow always occurs for any negative indent when the | input data is at least one level nested but, for small negative | indents, the underflow is usually accidentally rectified by another | overflow. This issue has been fixed in version 5.12.0. It looks the CVE description is wrong? As the issue seem tiggerable as well down to the bookworm version. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-32875 https://www.cve.org/CVERecord?id=CVE-2026-32875 [1] https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv [2] https://github.com/ultrajson/ultrajson/issues/700 [3] https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea Please adjust the affected versions in the BTS as needed. Regards, Salvatore
