CVE-2022-31116
📋 TL;DR
UltraJSON versions before 5.4.0 improperly decode JSON strings containing escaped surrogate characters, potentially corrupting data and allowing dictionary key confusion or value overwriting. This affects all Python applications using UltraJSON to parse untrusted JSON data. The vulnerability could lead to data integrity issues or unexpected behavior in applications.
💻 Affected Systems
- UltraJSON (ujson)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Ultrajson by Ultrajson Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate JSON parsing to overwrite dictionary keys, potentially leading to data corruption, privilege escalation, or application crashes in systems relying on UltraJSON for critical operations.
Likely Case
Data corruption in parsed JSON strings, unexpected application behavior, or crashes when processing malformed JSON from untrusted sources.
If Mitigated
Minimal impact if only trusted JSON sources are processed or if input validation rejects malformed JSON before parsing.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON to vulnerable applications. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.0 and later
Vendor Advisory: https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
Restart Required: Yes
Instructions:
1. Upgrade UltraJSON to version 5.4.0 or later using pip: 'pip install --upgrade ujson==5.4.0' 2. Restart all Python applications using UltraJSON. 3. Test application functionality with the updated version.
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize JSON input before parsing with UltraJSON to reject malformed content containing lone surrogate characters.
🧯 If You Can't Patch
- Implement strict input validation to reject JSON containing escaped surrogate characters before parsing with UltraJSON.
- Switch to Python's standard json module for parsing untrusted JSON data if possible.
🔍 How to Verify
Check if Vulnerable:
Check UltraJSON version: 'python -c "import ujson; print(ujson.__version__)"' - if version is below 5.4.0, the system is vulnerable.Check Version:
python -c "import ujson; print(ujson.__version__)"Verify Fix Applied:
After upgrade, verify version is 5.4.0 or higher using the same command and test parsing JSON with escaped surrogate characters.📡 Detection & Monitoring
Log Indicators:
- Application crashes or errors when parsing JSON
- Unexpected dictionary key/value behavior in logs
Network Indicators:
- Incoming JSON payloads containing escaped surrogate characters (\uD800-\uDFFF)
SIEM Query:
Search for application logs containing JSON parsing errors or crashes related to UltraJSON/ujson module.🔗 References
- https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7/
- https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7/
