simplejson Security Audit

X41 performed a security source code audit of the simplejson Python Library, which is used to serialize and deserialize JSON objects. The audit was sponsored once again by the Open Source Technology Improvement Fund and the report is being released after the developer was able to read and act on it.

Full report of the security audit:

Audit Results

A total of three vulnerabilities were discovered during the test by X41. None were rated as having a critical or high severity, one as medium, and two as low. Additionally, nine issues without a direct security impact were identified.

The most severe issue identified is caused by quadratic parsing behavior of integers. This is initially caused by a flaw in Python (CVE-2020-10735) in the int() parsing code. This can be triggered via long integers in the input JSON data.

One low risk issue is related to a missing Python object reference counter decrease when Python 2 is used. The other issue is caused by parsing discrepancies in Unicode escape sequences where the optimized C code parses the escape sequences correctly but the plain Python implementation accepts invalid sequences. The culprit is again the integer parsing which, among other characters, accepts spaces and underscores in the data being parsed.

Besides the code being reviewed, several fuzz testing harnesses were developed to perform differential fuzz testing to compare the Python and C implementations. Additionally, limited differential fuzz testing was performed to identify parsing discrepancies between simplejson and orjson.

Overall, the lack of high-severity issues being identified attests to the maturity of this project and code base shows that it was fuzz tested before.

simplejson’s announcement can be read here:

OSTIF’s announcement can be found at:

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!