UltraJSON Memory Leak Vulnerability in ujson.dump() Prior to 5.12.1

A memory leak vulnerability has been identified in UltraJSON versions through 5.12.0. The issue arises in the ujson.dump() function when writing to a file-like object. If the write operation fails, the serialized JSON string is not properly cleaned up, leading to a memory leak. Each failed write operation causes a leak equivalent to the size of the serialized payload. This vulnerability is not present when using ujson.dumps() or the JSON load/decode methods.

Impact

Exploitation of this vulnerability causes a linear memory leak, where each failed write operation in ujson.dump() leaks memory proportional to the size of the data being serialized. This can lead to increased memory usage and potentially exhaust available memory resources, causing applications to slow down or crash.

Reproduction

The vulnerability can be reproduced by using ujson.dump() to serialize data into a file-like object that raises an exception during the write operation. This can be done by creating a custom object that simulates a write failure, such as by raising a RuntimeError, and then passing this object to ujson.dump() along with data to be serialized. The memory leak can be observed by tracking memory usage before and after the operation, using a tool like Python's tracemalloc.

Remediation

Users are advised to upgrade to UltraJSON version 5.12.1, where this vulnerability has been fixed. The missing reference decrements were added in version 5.12.1.