Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 9 pypi packages depend on ujson (6 direct, 4 indirect)
Ecosystem-wide dependent count for version 5.12.1.
DescriptionGitHub Advisory
Summary
When ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.
Code that uses ujson.dumps() rather than ujson.dump() or only JSON load/decode methods is unaffected.
Details
Vulnerability Location:
src/ujson/python/objToJSON.c:913-objToJSONFile()function startsrc/ujson/python/objToJSON.c:931- Error return on write failuresrc/ujson/python/objToJSON.c:942- Early return without cleanup
Root Cause:
The objToJSONFile() function allocates a Python string object via ujson_dumps_internal(), calls the file's write() method, and returns early if write() raises an exception-but never calls Py_DECREF(string) on the early exit path.
PoC
import gc, tracemalloc, ujson
class BadFile:
def write(self, s):
raise RuntimeError("boom")
obj = {"x": "A" * 200000}
def run():
try:
ujson.dump(obj, BadFile())
except RuntimeError:
pass
run()
tracemalloc.start()
gc.collect()
base = tracemalloc.get_traced_memory()[0]
for i in range(5):
run()
gc.collect()
cur = tracemalloc.get_traced_memory()[0]
print(i, cur - base)Impact
Any application that serializes data through ujson.dump() to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using ujson.dump() by repeatedly making requests then closing the connection mid response.
Remediation
The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to UltraJSON 5.12.1.
Workarounds
Replacing ujson.dump(obj, file) with file.write(ujson.dumps(obj)) is equivalent (contrary to popular misconception, there are no streaming benefits to using ujson.dump()) and will avoid the memory leak.
Analysis
Summary
When ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.
Code that uses ujson.dumps() rather than ujson.dump() or only JSON load/decode methods is unaffected.
Details
Vulnerability Location:
src/ujson/python/objToJSON.c:913-objToJSONFile()function startsrc/ujson/python/objToJSON.c:931- Error return on write failuresrc/ujson/python/objToJSON.c:942- Early return without cleanup
Root Cause:
The objToJSONFile() function allocates a Python string object via ujson_dumps_internal(), calls the file's write() method, and returns early if write() raises an exception-but never calls Py_DECREF(string) on the early exit path.
PoC
import gc, tracemalloc, ujson
class BadFile:
def write(self, s):
raise RuntimeError("boom")
obj = {"x": "A" * 200000}
def run():
try:
ujson.dump(obj, BadFile())
except RuntimeError:
pass
run()
tracemalloc.start()
gc.collect()
base = tracemalloc.get_traced_memory()[0]
for i in range(5):
run()
gc.collect()
cur = tracemalloc.get_traced_memory()[0]
print(i, cur - base)Impact
Any application that serializes data through ujson.dump() to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using ujson.dump() by repeatedly making requests then closing the connection mid response.
Remediation
The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to UltraJSON 5.12.1.
Workarounds
Replacing ujson.dump(obj, file) with file.write(ujson.dumps(obj)) is equivalent (contrary to popular misconception, there are no streaming benefits to using ujson.dump()) and will avoid the memory leak.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32663
GHSA-c38f-wx89-p2xg