CVE-2022-31116

Published: Jul 5, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.

Vendor	Product	Versions
ultrajson	ultrajson	affected `< 5.4.0`

Weaknesses (CWE)

CWE-670

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r

x_refsource_CONFIRM

https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687

x_refsource_MISC

FEDORA-2022-1b2b8d5177

vendor-advisory

x_refsource_FEDORA

FEDORA-2022-33e816bc37

vendor-advisory

x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-31116

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References