GHSA-wgvc-ghv9-3pmm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wgvc-ghv9-3pmm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wgvc-ghv9-3pmm/GHSA-wgvc-ghv9-3pmm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wgvc-ghv9-3pmm
- Aliases
-
- CVE-2026-32874
- Related
- Published
- 2026-03-18T13:01:15Z
- Modified
- 2026-03-23T05:09:14.196864728Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- UltraJSON has a Memory Leak parsing large integers allows DoS
- Details
-
Summary
ujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers.
Exploitability
Any service that calls
ujson.load()/ujson.loads()/ujson.decode()on untrusted inputs is affected and vulnerable to denial of service attacks.Details
The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than
sys.get_int_max_str_digits()digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.ujson.loads(str(2 ** 64 - 1)) # No leak ujson.loads(str(2 ** 64)) # Leaks ujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueErrorFix
The leak is fixed in
ujson 5.12.0(4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.Credits
Discovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)
- Database specific
{ "nvd_published_at": "2026-03-20T02:16:35Z", "github_reviewed_at": "2026-03-18T13:01:15Z", "cwe_ids": [ "CWE-401" ], "severity": "HIGH", "github_reviewed": true }- References
-
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm
- https://nvd.nist.gov/vuln/detail/CVE-2026-32874
- https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2
- https://github.com/ultrajson/ultrajson
- https://github.com/ultrajson/ultrajson/releases/tag/5.12.0
Affected packages
PyPI / ujson
Package
- Name
- ujson
- View open source insights on deps.dev
- Purl
- pkg:pypi/ujson