Justanotherarchivist

**Name of the Vulnerable Software and Affected Versions** UltraJSON versions prior to 5.4.0 **Description** The issue occurs when an error happens while reallocating a buffer for string decoding, causing the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. There are no known workarounds for this issue. **Recommendations** For versions prior to 5.4.0, upgrade to UltraJSON 5.4.0 to resolve the issue. At the moment, there is no other information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** UltraJSON versions prior to 5.4.0 **Description** The issue is related to the improper decoding of certain characters in JSON strings, specifically escaped surrogate characters not part of a proper surrogate pair. This can lead to string corruption, key confusion, and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. The problem allows for potential data integrity impact. **Recommendations** For versions prior to 5.4.0, upgrade to UltraJSON 5.4.0 to resolve the issue. As a temporary workaround, consider avoiding the use of UltraJSON for parsing JSON from untrusted sources until the upgrade is applied. There are no known safe alternatives to upgrading.