Integer Overflow or Wraparound Affecting ujson package, versions [5.1.0,5.12.0)

Q: How to fix?

Upgrade ujson to version 5.12.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Integer Overflow or Wraparound vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-UJSON-15682605
published18 Mar 2026
disclosed18 Mar 2026
creditChu Yu, Ethan Kim, celeste

Report a new vulnerability Found a mistake?

Introduced: 18 Mar 2026

NewCVE-2026-32875 (opens in a new tab) CWE-190 (opens in a new tab)

How to fix?

Upgrade ujson to version 5.12.0 or higher.

Overview

ujson is an Ultra fast JSON encoder and decoder for Python

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the indent parameter in the dumps(), dump(), or encode() functions. An attacker can cause a crash or infinite loop by supplying large or negative values for indent, leading to excessive memory allocation or unbounded processing.

Workaround

This vulnerability can be mitigated by using a fixed, non-negative, and reasonably small value for the indent parameter (below 2**31/max_recursion_depth_as_limited_by_stack_size), or by disabling indentation altogether.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None