CVE-2022-31116: 
Python vulnerability analysis and mitigation

CVE-2022-31116 is a security vulnerability discovered in UltraJSON (ujson), an ultra-fast JSON encoder and decoder written in pure C with Python bindings. The vulnerability was disclosed on July 2, 2022, affecting versions prior to 5.4.0. The issue involves improper decoding of escaped surrogate characters not part of a proper surrogate pair, which could lead to string corruption, key confusion, and value overwriting in dictionaries (GitHub Advisory).

The vulnerability stems from the incorrect handling of JSON strings containing escaped surrogate characters. When parsing JSON from untrusted sources, unpaired high surrogate characters were ignored, while unpaired low surrogate characters were preserved. Additionally, surrogates with intervening non-surrogate characters would incorrectly pair up despite being invalid. For example, '\uD800' would decode to an empty string, '\uD800hello' would decode to 'hello', and '\uDC00' would be preserved as '\udc00' (GitHub Advisory).

The vulnerability could lead to string corruption, key confusion, and potential value overwriting in dictionaries when processing JSON data. This poses a significant risk for applications parsing JSON from untrusted sources, as it could potentially be exploited to manipulate data structures in unexpected ways (GitHub Advisory, Red Hat Portal).

Users should upgrade to UltraJSON version 5.4.0 or later, which fixes the vulnerability by implementing proper handling of surrogate pairs. In the patched version, lone surrogates are preserved in the parsed output, matching the behavior of Python's standard library json module. There are no safe alternatives to upgrading short of switching to an entirely different JSON library (GitHub Advisory, Fedora Update).