logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-31116 – ujson

Package

Manager: pip
Name: ujson
Vulnerable Version: >=0 <5.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00143 pctl0.35251

Details

Incorrect handling of invalid surrogate pair characters ### Impact _What kind of vulnerability is it? Who is impacted?_ Anyone parsing JSON from an untrusted source is vulnerable. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. Examples: ```python # An unpaired high surrogate character is ignored. >>> ujson.loads(r'"\uD800"') '' >>> ujson.loads(r'"\uD800hello"') 'hello' # An unpaired low surrogate character is preserved. >>> ujson.loads(r'"\uDC00"') '\udc00' # A pair of surrogates with additional non surrogate characters pair up in spite of being invalid. >>> ujson.loads(r'"\uD800foo bar\uDC00"') 'foo bar𐀀' ``` ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to UltraJSON 5.4.0. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output: ```python3 >>> ujson.loads(r'"\uD800"') '\ud800' >>> ujson.loads(r'"\uD800hello"') '\ud800hello' >>> ujson.loads(r'"\uDC00"') '\udc00' >>> ujson.loads(r'"\uD800foo bar\uDC00"') '\ud800foo bar\udc00' ``` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Short of switching to an entirely different JSON library, there are no safe alternatives to upgrading. ### For more information If you have any questions or comments about this advisory: * Open an issue in [UltraJSON](http://github.com/ultrajson/ultrajson/issues)

Metadata

Created: 2022-07-05T21:06:00Z
Modified: 2022-08-05T13:56:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-wpqr-jcpx-745r/GHSA-wpqr-jcpx-745r.json
CWE IDs: ["CWE-670"]
Alternative ID: GHSA-wpqr-jcpx-745r
Finding: F164
Auto approve: 1