CVE-2022-31116: Incorrect handling of invalid surrogate pair characters
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32458%
CWE
Published
7/5/2022
Updated
1/27/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ujson | pip | < 5.4.0 | 5.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper surrogate handling during JSON decoding. The commit shows critical changes in decode_string() where wchar_t was replaced with JSUINT32 (fixed 32-bit storage) and surrogate combination logic was removed. Similarly, Object_newString was modified to use Py_UCS4 instead of wchar_t. These changes directly address the root cause of incorrect surrogate preservation described in the advisory. The test case removals confirm these functions were the source of platform-dependent surrogate handling issues.