CVE-2022-31116

NameCVE-2022-31116
DescriptionUltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ujson (PTS)buster1.35-3vulnerable
bullseye4.0.2-1vulnerable
bookworm5.7.0-1fixed
sid, trixie5.9.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ujsonsource(unstable)5.4.0-1

Notes

[bullseye] - ujson <no-dsa> (Minor issue)
[buster] - ujson <no-dsa> (Minor issue)
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687 (5.4.0)

Search for package or bug name: Reporting problems