UltraJSON (ujson) v5.12.0 Patches Critical Integer Overflow Flaw [CVE-2026-32875]

A critical security vulnerability in the widely-used UltraJSON (ujson) Python library forces an urgent dependency update. The flaw, tracked as CVE-2026-32875, can cause a Python interpreter crash (segmentation fault) or trap it in an infinite loop. The issue originates in the `ujson.dumps()` function, which suffers from an integer overflow when the product of the `indent` parameter and the nested depth of the input data exceeds the INT32_MAX limit. This buffer overflow condition presents a direct denial-of-service risk to any application using the library for JSON serialization.

The vulnerability is addressed in UltraJSON version 5.12.0. Automated dependency management tools like RenovateBot are flagging the update as a high-priority security fix, moving projects from the vulnerable 5.11.0 release. The advisory, GHSA-c8rr-9gxc-jprv, confirms the patch mitigates the crash and infinite loop scenarios triggered by malicious or malformed input with deeply nested structures and large indent values.

This is a supply-chain security event impacting the Python ecosystem. Any service, API, or data pipeline relying on ujson for high-performance JSON encoding is potentially exposed until the patch is applied. The flaw's ability to crash the interpreter makes it a vector for instability and service disruption, underscoring the critical need for maintainers to review and merge this dependency update promptly.