Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32874

UltraJSON has a Memory Leak parsing large integers allows DoS
Back to all
CVE

CVE-2026-32874

UltraJSON has a Memory Leak parsing large integers allows DoS

Summary

ujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers.

Exploitability

Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks.

Details

The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.getintmaxstrdigits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.

ujson.loads(str(2 ** 64 - 1))  # No leak
ujson.loads(str(2 ** 64))  # Leaks
ujson.loads(str(10 ** sys.get_int_max_str_digits()))  # Leaks and raises ValueError

Fix

The leak is fixed in ujson 5.12.0 (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.

Credits

Discovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Related Resources

No items found.

References

https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm, https://nvd.nist.gov/vuln/detail/CVE-2026-32874, https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2, https://github.com/ultrajson/ultrajson, https://github.com/ultrajson/ultrajson/releases/tag/5.12.0

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00073%
EPSS Percentile
0.22115%
Introduced Version
5.4.0,0
Fix Available
5.12.0,2.71.0-r1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading