CVE-2021-45958

CVSS v4.0

6.8

Medium

Vector

AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: UltraJSON (aka ujson) versions 1.34 through 5.1.0

Description: The issue is a stack-based buffer overflow in Buffer AppendIndentUnchecked, which is called from encode. This can be exploited, for example, by using a large amount of indentation. There is a dispute regarding the confirmation of this finding, with some third parties arguing that the issue is not a confirmed vulnerability due to a change in the AFLplusplus project.

Recommendations: For versions 1.34 through 5.1.0, consider disabling the Buffer AppendIndentUnchecked function or restricting its use until a patch is available. As a temporary workaround, avoid using excessive indentation in the encode function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALT-PU-2022-2708

CVE-2021-45958

DLA-2929-1

GHSA-FH56-85CW-5PQ6

MGASA-2022-0169

OPENSUSE-SU-2024:12106-1

OPENSUSE-SU-2025:15107-1

PYSEC-2022-25

SUSE-SU-2023:2134-1

SUSE-SU-2023_2134-1

USN-6629-1

USN-6629-2

Affected Products

Alt Linux

Debian

Linuxmint

Suse

Ubuntu

Ultrajson

CVE-2021-45958

Weakness Enumeration

Related Identifiers

Affected Products

References · 50