Deserialization of Untrusted Data in the json Module

The Python json module provides a way to parse and generate JSON data. However, it is important to be aware that malicious JSON strings can be used to attack applications that use the json module. For example, a malicious JSON string could be used to cause the decoder to consume considerable CPU and memory resources, which could lead to a denial-of-service attack.

Example

import json


json.loads('["foo", {"bar":["baz", null, 1.0, 2]}]')

Remediation

To avoid this vulnerability, it is important to only parse JSON data from trusted sources. If you are parsing JSON data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

See also

• json — JSON encoder and decoder
• CWE-502: Deserialization of Untrusted Data

New in version 0.1.0