Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via uncontrolled memory growth
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in UltraJSON versions 5.4.0 through 5.11.0 and is triggered when the decoder encounters integers larger than the permitted range of [-2^63, 2^64-1]. Each such integer adds a copy of its string representation plus a trailing null byte to the process’s memory, regardless of whether the integer is successfully parsed or is rejected because it exceeds sys.get_int_max_str_digits(). The effect is an accumulating memory leak that can grow without bound if the JSON payload contains arbitrarily large integers and has no enforced size limit. The result is that the application can run out of memory, become unresponsive, or crash, leading to a denial of service.

Affected Systems

Any Python application that imports the ultrajson package and uses ujson.load, ujson.loads, or ujson.decode to process JSON data from an untrusted source is impacted. The affected releases are 5.4.0 to 5.11.0; earlier releases and version 5.12.0 or later are not affected.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the EPSS score of less than 1 % suggests that known exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog, implying limited public exploitation to date. However, the lack of authentication or privilege requirements means that an attacker can trigger the exploit simply by sending a crafted JSON payload with large integers to any vulnerable service. The main attack vector is the delivery of such a payload over an exposed interface, and once triggered the attacker can cause service disruption through memory exhaustion.

Generated by OpenCVE AI on March 23, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ultrajson to version 5.12.0 or later
  • Implement input validation to reject integers outside the allowed range before passing them to the JSON decoder
  • Enforce size limits on JSON payloads to prevent the creation of excessively large inputs
  • Apply rate limiting or throttling to control the number of requests processed by the vulnerable application
  • Monitor memory usage and set alerts for abnormal growth to detect ongoing attacks

Generated by OpenCVE AI on March 23, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wgvc-ghv9-3pmm UltraJSON has a Memory Leak parsing large integers allows DoS
History

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson Project
Ultrajson Project ultrajson
CPEs cpe:2.3:a:ultrajson_project:ultrajson:*:*:*:*:*:python:*:*
Vendors & Products Ultrajson Project
Ultrajson Project ultrajson

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson
Ultrajson ultrajson
Vendors & Products Ultrajson
Ultrajson ultrajson

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.
Title UltraJSON has a Memory Leak parsing large integers allows DoS
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ultrajson Ultrajson
Ultrajson Project Ultrajson
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T16:38:13.493Z

Reserved: 2026-03-16T21:03:44.420Z

Link: CVE-2026-32874

cve-icon Vulnrichment

Updated: 2026-03-20T16:36:21.330Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:35.703

Modified: 2026-03-23T15:27:14.450

Link: CVE-2026-32874

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T01:31:30Z

Links: CVE-2026-32874 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:07Z

Weaknesses