Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via crash or infinite loop
Action: Immediate Patch
AI Analysis

Impact

UltraJSON, a fast JSON encoder and decoder written in pure C, has a flaw in its handling of the indent parameter during dumps or encode operations. When the product of the indent value and the nested depth of the input data exceeds the maximum 32‑bit signed integer value, an integer overflow occurs, leading to a buffer overflow that crashes the Python interpreter. Additionally, supplying a large negative indent causes an integer underflow that can trap the encoder in an infinite loop. Both behaviors provide a route for an attacker to cause a denial of service. The weakness relates to integer overflows, buffer overflows, and uncontrolled loop termination (CWE‑190, CWE‑787, CWE‑835).

Affected Systems

The vulnerability affects the UltraJSON project, specifically the ultrajson Python package. Versions 5.10 through 5.11.0, shipped for Python 3.7 and later, are vulnerable. Upgrading to version 5.12.0 or newer removes the issue.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the low EPSS score (<1%) suggests that exploitation is not currently widespread. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that an application accepts user‑controlled values for the indent parameter in ujson.dump(), ujson.dumps(), or ujson.encode() without validating or restricting it to small non‑negative values. A malicious user can supply a carefully crafted indent value to trigger a crash or hang, disabling the affected service.

Generated by OpenCVE AI on March 23, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to UltraJSON 5.12.0 or later.

Generated by OpenCVE AI on March 23, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c8rr-9gxc-jprv UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson Project
Ultrajson Project ultrajson
CPEs cpe:2.3:a:ultrajson_project:ultrajson:*:*:*:*:*:python:*:*
Vendors & Products Ultrajson Project
Ultrajson Project ultrajson

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson
Ultrajson ultrajson
Vendors & Products Ultrajson
Ultrajson ultrajson

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
Title UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop
Weaknesses CWE-190
CWE-787
CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ultrajson Ultrajson
Ultrajson Project Ultrajson
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:32:46.613Z

Reserved: 2026-03-16T21:03:44.420Z

Link: CVE-2026-32875

cve-icon Vulnrichment

Updated: 2026-03-25T14:32:38.548Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:35.887

Modified: 2026-03-23T15:29:05.183

Link: CVE-2026-32875

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T01:35:23Z

Links: CVE-2026-32875 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:41Z

Weaknesses