Both upickle and ujson have security vulnerablities

Question

Both upickle and ujson have security vulnerablities

plokhotnyuk opened this issue 2 years ago · 6 comments

Please, see com-lihaoyi/upickle#416 (comment)

Answer 1 · 2023-01-12T13:41:25.000Z

Hi! Thank you for creating the issue. We are aware, and it's important for us to address it with the library maintainers. I will keep this issue as a place to post updates.

Answer 2 · 2023-03-12T09:52:27.000Z

Fixed in upickle v3.0.0 https://github.com/com-lihaoyi/upickle/releases/tag/3.0.0

Answer 3 · 2023-03-12T22:57:56.000Z

I don't think this should be closed until the patched version is part of the build?

Answer 4 · 2023-03-12T23:59:47.000Z

@bishabosha You are right.

Also, need to check for other possible vulnerabilities like DoS by parsing of too big numbers or too deeply nested JSON arrays/objects.

Answer 5 · 2023-03-16T13:44:17.000Z

Update to upickle 3.0.0 was merged.

Answer 6 · 2023-03-16T13:44:29.000Z

@plokhotnyuk that's a good idea for another issue