GHSA-3j69-69wj-xqx2

Source

https://github.com/advisories/GHSA-3j69-69wj-xqx2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3j69-69wj-xqx2/GHSA-3j69-69wj-xqx2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3j69-69wj-xqx2

Aliases

CVE-2026-54911

Related

CGA-f367-hjwv-q5gj

Published

2026-06-19T20:47:43Z

Modified

2026-06-21T19:59:17.787182134Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

Details

Summary

ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues.

Details

The expected behavior is that for x being any bytes string, x == ujson.loads(ujson.dumps(x, reject_bytes=False)).encode(errors="surrogatepass") should always either be true or ujson.dumps() will throw an exception. In reality, some strings which should've been errors are silently rewritten as other strings:

Invalid continuation bytes are replaced with valid ones: b'\xcf\x13' -> b'\xcf\x93'
Unterminated sequence completes the sequence: b'\xc3' -> b'\xc3\x80'
... or leads to reading past the end of string: b'\xf0\x90\x94' -> b"\xf0\x90\x94\x80inxcontrib'"

Impact

An application relying on reject_bytes=False for UTF-8 handling may experience:

Data integrity issues
Experience validation bypass if said validation occurs before serialisation

Remediation

The missing/broken UTF-8 validation checks were added/fixed in https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf. We recommend upgrading to UltraJSON 5.13.0.

Workarounds

Decoding bytes to strings in Python before passing them to ujson.dumps() avoids this issue.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-19T20:47:43Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

PyPI / ujson

Package

Name: ujson; View open source insights on deps.dev
Purl: pkg:pypi/ujson

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.13.0

Affected versions

1.*

1.4

1.6

1.8

1.9

1.15

1.18

1.19

1.21

1.22

1.23

1.30

1.33

1.34

1.35

2.*

2.0.0

2.0.1

2.0.2

2.0.3

3.*

3.0.0

3.1.0

3.2.0

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.4.0

5.5.0

5.6.0

5.7.0

5.8.0

5.9.0

5.10.0

5.11.0

5.12.0

5.12.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3j69-69wj-xqx2/GHSA-3j69-69wj-xqx2.json"

last_known_affected_version_range

"<= 5.12.1"