PYSEC-2022-25 — Vulnetix

PYSEC-2022-25 PUBLISHED CVSS 9.300000190734863 CRITICAL

UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	ujson	4.0.2, 4.0.2, 4.1.0

Timeline

Jan 1, 2022 CVE Published
Nov 8, 2023 CVE Updated

References

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml url
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 url
https://github.com/advisories/GHSA-fh56-85cw-5pq6 advisory
https://github.com/ultrajson/ultrajson/issues/501 discussion
https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284 discussion

Open in Interactive Console →