UltraJSON Memory Leak Vulnerability in JSON Parsing of Large Integers Allowing Denial-of-Service

A memory leak vulnerability has been identified in UltraJSON (ujson) versions 5.4.0 through 5.11.0. This vulnerability occurs during JSON parsing of large integers that fall outside the range of -2^63 to 2^64 - 1. The memory leak accumulates a copy of the string representation of the integer, along with an additional NULL byte. The issue arises regardless of whether the integer is successfully parsed or rejected for exceeding the maximum allowed digits. As a result, any size of memory leak can be exploited through malicious JSON payloads, leading to denial-of-service conditions. This vulnerability affects any service that processes untrusted JSON inputs using ujson's loading or decoding functions.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by creating an accumulating memory leak that can be exploited to exhaust system resources.

Reproduction

The vulnerability can be reproduced by using ujson to parse large integers as strings that exceed the normal range for integer values. This can be done by calling ujson.loads() or ujson.decode() with a JSON string that includes such large integers. The memory leak can be observed by monitoring the application's memory usage, which will increase over time as the large integers are parsed.

Remediation

Users can upgrade to UltraJSON version 5.12.0, which addresses the memory leak vulnerability. Instructions for downloading this version are available on the UltraJSON GitHub releases page.