CVE-2026-32875
Buffer Overflow and Infinite Loop in UltraJSON Indent Handling
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultrajson_project | ultrajson | From 5.1.0 (inc) to 5.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32875 is a vulnerability in the UltraJSON (ujson) library versions 5.10 through 5.11.0, specifically in the handling of the indent parameter during JSON encoding with functions like ujson.dumps().
The issue arises when the product of the indent value and the nested depth of the input data exceeds the maximum 32-bit signed integer value (INT32_MAX), causing an integer overflow during memory allocation for indentation. This leads to a buffer overflow and crashes the Python interpreter with a segmentation fault.
Additionally, if a large negative indent value is used, an integer underflow occurs, causing the buffer resizing logic to enter an infinite loop during serialization.
The vulnerability can be triggered if untrusted users control the indent parameter without restrictions, allowing denial of service via crashes or hangs.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service (DoS) attacks against applications using vulnerable versions of UltraJSON.
An attacker who can control the indent parameter can cause the Python interpreter to crash due to a segmentation fault or cause the application to hang indefinitely due to an infinite loop.
Such crashes or hangs can disrupt service availability, potentially affecting reliability and user experience.
Exploitation requires no privileges or user interaction and can be triggered remotely if the service exposes JSON encoding functionality with unsafe indent parameter handling.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if the ujson.dumps() function crashes or hangs when called with large or negative indent values. Specifically, calling ujson.dumps() with a very large indent parameter (e.g., indent=2000000000) may cause a segmentation fault (crash), and using large negative indent values may cause an infinite loop.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can run Python commands that invoke ujson.dumps() with suspicious indent values and observe if the interpreter crashes or hangs.'}, {'type': 'list_item', 'content': 'Example command to test for crash (segmentation fault):\n\n```python\nimport ujson\ntry:\n ujson.dumps({"key": "value"}, indent=2000000000)\nexcept Exception as e:\n print(f"Exception caught: {e}")\n```\nIf this causes a crash or segmentation fault, the system is vulnerable.'}, {'type': 'list_item', 'content': 'Example command to test for infinite loop:\n\n```python\nimport ujson\n# Use a nested JSON object\nnested_json = {"a": {"b": {"c": "d"}}}\n# Use a large negative indent\nujson.dumps(nested_json, indent=-1000000)\n```\nIf this hangs indefinitely, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Detection requires that the service or system uses ujson.dumps() or related functions with user-controllable indent parameters without restrictions.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the ultrajson (ujson) library to version 5.12.0 or later, where the vulnerability has been fixed.
If upgrading is not immediately possible, restrict or sanitize the indent parameter passed to ujson.dumps(), ujson.dump(), or ujson.encode() to ensure it is a reasonably small non-negative integer, ideally capped at 1000 or less.
- Disallow or reject large positive indent values that could cause integer overflow.
- Disallow negative indent values or restrict them to -1 to avoid infinite loops caused by underflow.
Alternatively, avoid using indentation in JSON serialization when user input controls the indent parameter, or use fixed indentation values that are safe.
These mitigations help prevent denial of service attacks caused by crashes or infinite loops triggered by malicious indent values.