CVE-2022-31116

HIGH

UltraJSON <5.4.0 - Info Disclosure

Title source: llm

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.

References (4)

[Exploit, Third Party Advisory] https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r

[Patch, Third Party Advisory] https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687

View Patch ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/

Scores

CVSS v3 7.5

EPSS 0.0007

EPSS Percentile 21.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-670

Status published

Products (4)

fedoraproject/fedora 35

fedoraproject/fedora 36

pypi/ujson 0 - 5.4.0PyPI

ultrajson_project/ultrajson < 5.4.0

Published Jul 05, 2022

Tracked Since Feb 18, 2026