python · ujsonHeads-up

ujson: dumps() with reject_bytes=False silently corrupts malformed UTF-8

ujson.dumps() with reject_bytes=False may silently rewrite malformed UTF-8 byte sequences into different Unicode characters, leading to input validation bypass

20 Jun 2026Read 1 minSeverity: schedule it

What changed

ujson.dumps() with reject_bytes=False may silently rewrite malformed UTF-8 byte sequences into different Unicode characters, leading to input validation bypass and data integrity issues.

Who it affects

Users of ujson who use reject_bytes=False and rely on correct UTF-8 handling.

What to do today

Upgrade to UltraJSON 5.13.0 or decode bytes to strings before passing to ujson.dumps().

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · ujson

ujson: dumps() with reject_bytes=False silently corrupts malformed UTF-8

What changed

Who it affects

What to do today

More on ujson

JupyterLab Extension Manager XSS via Malicious PyPI Package URLs

python-liquid DoS via malformed {% case %} tag