UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
PUBLISHED5.2CWE-401
UltraJSON: Memory Leak in ujson.dump() on Write Failure
Problem type
Affected products
ultrajson
ultrajson
< 5.12.1 - AFFECTED
References
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
https://github.com/ultrajson/ultrajson/releases/tag/5.12.1
https://github.com/ultrajson/ultrajson/releases/tag/5.12.1
GitHub Security Advisories
GHSA-c38f-wx89-p2xg
UltraJSON has a Memory Leak in ujson.dump() on Write Failure
https://github.com/advisories/GHSA-c38f-wx89-p2xgSummary
When ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.
Code that uses ujson.dumps() rather than ujson.dump() or only JSON load/decode methods is unaffected.
Details
Vulnerability Location:
src/ujson/python/objToJSON.c:913-objToJSONFile()function startsrc/ujson/python/objToJSON.c:931- Error return on write failuresrc/ujson/python/objToJSON.c:942- Early return without cleanup
Root Cause:
The objToJSONFile() function allocates a Python string object via ujson_dumps_internal(), calls the file's write() method, and returns early if write() raises an exception—but never calls Py_DECREF(string) on the early exit path.
PoC
import gc, tracemalloc, ujson
class BadFile:
def write(self, s):
raise RuntimeError("boom")
obj = {"x": "A" * 200000}
def run():
try:
ujson.dump(obj, BadFile())
except RuntimeError:
pass
run()
tracemalloc.start()
gc.collect()
base = tracemalloc.get_traced_memory()[0]
for i in range(5):
run()
gc.collect()
cur = tracemalloc.get_traced_memory()[0]
print(i, cur - base)
Impact
Any application that serializes data through ujson.dump() to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using ujson.dump() by repeatedly making requests then closing the connection mid response.
Remediation
The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to UltraJSON 5.12.1.
Workarounds
Replacing ujson.dump(obj, file) with file.write(ujson.dumps(obj)) is equivalent (contrary to popular misconception, there are no streaming benefits to using ujson.dump()) and will avoid the memory leak.
github.com
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
github.com
https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
github.com
https://github.com/ultrajson/ultrajson/releases/tag/5.12.1
github.com
https://github.com/advisories/GHSA-c38f-wx89-p2xg
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-44660Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-44660",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-27T20:42:59.830Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"datePublished": "2026-05-27T20:42:59.830Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-27T20:42:59.830Z"
},
"title": "UltraJSON: Memory Leak in ujson.dump() on Write Failure",
"descriptions": [
{
"lang": "en",
"value": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1."
}
],
"affected": [
{
"vendor": "ultrajson",
"product": "ultrajson",
"versions": [
{
"version": "< 5.12.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"cweId": "CWE-401",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg",
"name": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9",
"name": "https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.1",
"name": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.1",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}