Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.
Published: 2026-06-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ujson.dumps(), ujson.dump(), and ujson.encode() can be configured with reject_bytes=False, which allows the function to accept invalid or truncated UTF‑8 byte sequences. When this occurs, the library silently rewrites the malformed bytes into different Unicode code points rather than rejecting them, bypassing the intended input validation. This behavior can corrupt data structures, produce unintended output, and undermine data integrity. The vulnerability is a classic input validation flaw (CWE‑20).

Affected Systems

The issue affects all installations of UltraJSON version 5.12.x and earlier. Any environment that imports and uses ujson.dumps() (or its variants) from these versions without the fix is vulnerable. The fix is contained in UltraJSON 5.13.0 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating moderate severity. EPSS data is unavailable, so the exploitation probability is unknown, and the flaw is not listed in CISA’s KEV catalog. The likely attack vector is from code that receives user‑controlled input and passes it directly to the vulnerable encoding functions; thus, a threat actor could influence the encoded output or inject data that is later misinterpreted. Exploitation would require ability to supply arbitrary UTF‑8 data to the application, making it a local or web‑app‑level risk rather than an arbitrary remote execution vector.

Generated by OpenCVE AI on June 22, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UltraJSON to version 5.13.0 or newer to apply the fix.
  • If an upgrade is delayed, set reject_bytes=True when calling ujson.dumps(), ujson.dump(), or ujson.encode() to enforce strict UTF‑8 validation.
  • Validate input data for well‑formed UTF‑8 before passing it to UltraJSON, flagging or rejecting malformed sequences early.
  • Consider switching to a JSON library that performs strict validation by default if input validation cannot be ensured.

Generated by OpenCVE AI on June 22, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3j69-69wj-xqx2 UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
History

Tue, 23 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson
Ultrajson ultrajson
Vendors & Products Ultrajson
Ultrajson ultrajson

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.
Title UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ultrajson Ultrajson
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:53:07.019Z

Reserved: 2026-06-16T13:49:33.556Z

Link: CVE-2026-54911

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T01:15:16Z

Weaknesses
  • CWE-20

    Improper Input Validation