CVE-2026-54911
Analyzed Analyzed - Analysis Complete

UltraJSON UTF-8 Decoding Bypass via reject_bytes

Vulnerability report for CVE-2026-54911, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultrajson_project ultrajson to 5.13.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in UltraJSON, a fast JSON encoder and decoder written in pure C with Python bindings. Before version 5.13.0, the functions ujson.dumps(), ujson.dump(), and ujson.encode() had an option reject_bytes=False that could accept malformed or truncated UTF-8 byte sequences. Instead of rejecting these invalid sequences, the functions would silently rewrite them into different Unicode characters. This behavior leads to input validation bypass and data integrity issues.

Impact Analysis

This vulnerability can impact you by allowing malformed or truncated UTF-8 byte sequences to be accepted and silently altered rather than rejected. This can cause input validation bypass, meaning that invalid or malicious data might be processed without detection. Additionally, it can lead to data integrity issues because the original data may be changed unexpectedly during encoding or decoding.

Mitigation Strategies

To mitigate this vulnerability, upgrade UltraJSON (ujson) to version 5.13.0 or later, where the issue with malformed or truncated UTF-8 byte sequences being silently rewritten is fixed.

Compliance Impact

The vulnerability in UltraJSON allows malformed or truncated UTF-8 byte sequences to be silently rewritten into different Unicode characters instead of being rejected. This leads to input validation bypass and data integrity issues.

Such data integrity issues and input validation bypasses can potentially impact compliance with standards and regulations like GDPR and HIPAA, which require accurate and reliable data processing and protection of personal and sensitive information.

However, specific effects on compliance are not detailed in the provided information.

Detection Guidance

This vulnerability affects the UltraJSON (ujson) library versions prior to 5.13.0 when using the ujson.dumps(), ujson.dump(), or ujson.encode() functions with the reject_bytes=False option. To detect if your system is vulnerable, first verify the installed version of the ujson library.

  • Check the installed ujson version in your Python environment by running: python3 -c "import ujson; print(ujson.__version__)"

If the version is earlier than 5.13.0, your system may be vulnerable. Additionally, you can test if the vulnerable functions accept malformed UTF-8 byte sequences by running a Python script that uses ujson.dumps() with reject_bytes=False on known malformed byte sequences and observing if they are silently rewritten instead of raising errors.

  • Example Python test snippet to detect vulnerability: import ujson try: # Malformed UTF-8 byte sequence result = ujson.dumps(b'\xcf\x13', reject_bytes=False) print("Potentially vulnerable: malformed bytes accepted and rewritten.") except Exception as e: print("Not vulnerable: error raised on malformed bytes.")

There are no specific network commands to detect this vulnerability since it is a library-level issue. Detection focuses on verifying the ujson version and testing the behavior of the encoding functions in your environment.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart