UltraJSON CVE-2026-54911
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AC:H because exploitation requires both non-default reject_bytes=False configuration and pre-serialization validation ordering; no confidentiality or availability impact beyond data integrity mutation.
Primary rating from Vendor (https://github.com/ultrajson/ultrajson).
CVSS VectorVendor: https://github.com/ultrajson/ultrajson
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 3,192 pypi packages depend on ujson (956 direct, 2,271 indirect)
Ecosystem-wide dependent count for version 5.13.0.
DescriptionCVE.org
Summary
ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues.
Details
The expected behavior is that for x being any bytes string, x == ujson.loads(ujson.dumps(x, reject_bytes=False)).encode(errors="surrogatepass") should always either be true or ujson.dumps() will throw an exception. In reality, some strings which should've been errors are silently rewritten as other strings:
- Invalid continuation bytes are replaced with valid ones:
b'\xcf\x13'->b'\xcf\x93' - Unterminated sequence completes the sequence:
b'\xc3'->b'\xc3\x80' - ... or leads to reading past the end of string:
b'\xf0\x90\x94'->b"\xf0\x90\x94\x80inxcontrib'"
Impact
An application relying on reject_bytes=False for UTF-8 handling may experience:
- Data integrity issues
- Experience validation bypass if said validation occurs before serialisation
Remediation
The missing/broken UTF-8 validation checks were added/fixed in https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf. We recommend upgrading to UltraJSON 5.13.0.
Workarounds
Decoding bytes to strings in Python before passing them to ujson.dumps() avoids this issue.
AnalysisAI
Silent UTF-8 rewriting in UltraJSON (ujson) versions up to and including 5.12.1 allows input validation bypass and data integrity corruption when the reject_bytes=False encoding option is used. Malformed or truncated byte sequences - including invalid continuation bytes and over-read sequences - are silently transformed into different, syntactically valid Unicode characters rather than triggering an error, meaning data that exits ujson.dumps() differs from data that entered it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application explicitly passes the reject_bytes=False keyword argument to ujson.dumps(), ujson.dump(), or ujson.encode() - this is an opt-in parameter, not the default behavior. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N yields a score of 6.5 (Medium), treating this as a low-complexity unauthenticated network-reachable flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted multipart or binary HTTP request body containing the byte sequence b'\xcf\x13' to a Python web application that uses ujson.dumps(body, reject_bytes=False) to re-serialize the payload for downstream storage or forwarding. The application's input filter checks the raw bytes against a blocklist before calling ujson - b'\xcf\x13' passes the check. … |
| Remediation | Upgrade UltraJSON to version 5.13.0 or later, which contains the fix committed at https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3j69-69wj-xqx2