Attack Chain

1. The attacker identifies an application that uses ujson.dump() to serialize data to a file-like object.
2. The attacker crafts a malicious input that, when processed by the application, triggers the ujson.dump() function.
3. The application calls ujson_dumps_internal() to serialize the data, allocating a Python string object.
4. The application attempts to write the serialized data to a file-like object using the file’s write() method.
5. The attacker manipulates the file-like object to raise an exception during the write() operation.
6. The write() method fails, raising an exception that is caught by the application.
7. The objToJSONFile() function returns early due to the exception, without calling Py_DECREF(string) to de-reference the allocated string object.
8. The leaked memory accumulates with each failed write attempt, eventually exhausting the application’s memory and causing a denial-of-service.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition, where the application becomes unresponsive due to memory exhaustion. In a web server context, an attacker can repeatedly make requests and close the connection mid-response to trigger the memory leak. This can quickly consume all available memory, causing the server to crash or become unavailable to legitimate users. This vulnerability can impact any application that uses ujson.dump() and handles attacker-influenced file-like objects.

Recommendation

• Upgrade to UltraJSON version 5.12.1 or later to remediate the memory leak (see Remediation).
• Replace ujson.dump(obj, file) with file.write(ujson.dumps(obj)) as a workaround to avoid the memory leak (see Workarounds).
• Enable process memory monitoring to detect processes with unusual memory growth patterns, which may indicate exploitation attempts.
• Deploy the Sigma rule Detect UltraJSON ujson.dump Memory Leak to identify potential exploitation attempts by monitoring for write operations to file-like objects.