CVE-2026-32875

Name of the Vulnerable Software and Affected Versions UltraJSON versions 5.10 through 5.11.0

Description UltraJSON, a fast JSON encoder and decoder written in C, is susceptible to a buffer overflow or infinite loop when processing large indent values. Specifically, the ujson.dumps() function can crash the Python interpreter due to a segmentation fault if the product of the indent parameter and the nested depth of the input exceeds the maximum value of a 32-bit integer (INT32 MAX). Additionally, a large negative indent value can cause the function to enter an infinite loop. These issues stem from an integer overflow or underflow during memory allocation for indentation. Exploitation requires a service to call ujson.dump(), ujson.dumps(), or ujson.encode() while allowing untrusted users to control the indent parameter without restricting it to reasonable non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent.

Recommendations UltraJSON versions 5.10 through 5.11.0 should be updated to version 5.12.0 or later. As a temporary workaround, ensure the indent parameter is non-negative and not excessively large. Avoid using negative indent values. Restrict access to the ujson.dumps() function if untrusted users can control the indent parameter.