Source: ujson
Version: 5.11.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for ujson.

CVE-2026-54911[0]:
| UltraJSON is a fast JSON encoder and decoder written in pure C with
| bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or
| ujson.dump() or ujson.encode()) have a reject_bytes=False option.
| When set, they may accept malformed or truncated UTF-8 byte
| sequences, silently rewriting them into different Unicode characters
| instead of rejecting them. This leads to input validation bypass and
| data integrity issues. This vulnerability is fixed in 5.13.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54911
    https://www.cve.org/CVERecord?id=CVE-2026-54911
[1] 
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-3j69-69wj-xqx2
[2] 
https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to