{"id":"GHSA-wpqr-jcpx-745r","summary":"Incorrect handling of invalid surrogate pair characters","details":"### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAnyone parsing JSON from an untrusted source is vulnerable.\n\nJSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries.\n\nExamples:\n\n```python\n# An unpaired high surrogate character is ignored.\n\u003e\u003e\u003e ujson.loads(r'\"\\uD800\"')\n''\n\u003e\u003e\u003e ujson.loads(r'\"\\uD800hello\"')\n'hello'\n\n# An unpaired low surrogate character is preserved.\n\u003e\u003e\u003e ujson.loads(r'\"\\uDC00\"')\n'\\udc00'\n\n# A pair of surrogates with additional non surrogate characters pair up in spite of being invalid.\n\u003e\u003e\u003e ujson.loads(r'\"\\uD800foo bar\\uDC00\"')\n'foo bar𐀀'\n```\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nUsers should upgrade to UltraJSON 5.4.0.\n\nFrom version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output:\n\n```python3\n\u003e\u003e\u003e ujson.loads(r'\"\\uD800\"')\n'\\ud800'\n\u003e\u003e\u003e ujson.loads(r'\"\\uD800hello\"')\n'\\ud800hello'\n\u003e\u003e\u003e ujson.loads(r'\"\\uDC00\"')\n'\\udc00'\n\u003e\u003e\u003e ujson.loads(r'\"\\uD800foo bar\\uDC00\"')\n'\\ud800foo bar\\udc00'\n```\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nShort of switching to an entirely different JSON library, there are no safe alternatives to upgrading.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [UltraJSON](http://github.com/ultrajson/ultrajson/issues)\n","aliases":["CVE-2022-31116"],"modified":"2024-02-21T05:24:44.762164Z","published":"2022-07-05T21:06:00Z","database_specific":{"github_reviewed_at":"2022-07-05T21:06:00Z","nvd_published_at":"2022-07-05T18:15:00Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-670"]},"references":[{"type":"WEB","url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31116"},{"type":"WEB","url":"https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687"},{"type":"PACKAGE","url":"https://github.com/ultrajson/ultrajson"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7"}],"affected":[{"package":{"name":"ujson","ecosystem":"PyPI","purl":"pkg:pypi/ujson"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.0"}]}],"versions":["1.15","1.18","1.19","1.21","1.22","1.23","1.30","1.33","1.34","1.35","1.4","1.6","1.8","1.9","2.0.0","2.0.1","2.0.2","2.0.3","3.0.0","3.1.0","3.2.0","4.0.0","4.0.1","4.0.2","4.1.0","4.2.0","4.3.0","5.0.0","5.1.0","5.2.0","5.3.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-wpqr-jcpx-745r/GHSA-wpqr-jcpx-745r.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}