Summary
The Datadog-Python313 Lambda layer (currently at version 123)
bundles a version of ujson that is affected by two high-
severity CVEs:
These are being flagged as active findings by AWS Inspector on
any Lambda function using the Datadog-Python313 layer, with
no ability to remediate on our end since the vulnerable
package is bundled inside the layer itself.
Impact
All Lambda functions using the Datadog-Python313 layer are
flagged as vulnerable in AWS Inspector. This blocks security
compliance for teams that rely on Inspector findings to gate
deployments or meet audit requirements.
Expected Fix
Please bump ujson to >= 5.10.0 in ddtrace dependencies and
publish a new Datadog-Python313 layer version.
Workaround
We are currently pinning ujson>=5.10.0 in our own Lambda
layer to override the vulnerable version at runtime, but this
is not a sustainable long-term fix.
Environment
Please treat this as urgent — these are active High severity
findings affecting production workloads.
Summary
The Datadog-Python313 Lambda layer (currently at version 123)
bundles a version of ujson that is affected by two high-
severity CVEs:
These are being flagged as active findings by AWS Inspector on
any Lambda function using the Datadog-Python313 layer, with
no ability to remediate on our end since the vulnerable
package is bundled inside the layer itself.
Impact
All Lambda functions using the Datadog-Python313 layer are
flagged as vulnerable in AWS Inspector. This blocks security
compliance for teams that rely on Inspector findings to gate
deployments or meet audit requirements.
Expected Fix
Please bump ujson to >= 5.10.0 in ddtrace dependencies and
publish a new Datadog-Python313 layer version.
Workaround
We are currently pinning ujson>=5.10.0 in our own Lambda
layer to override the vulnerable version at runtime, but this
is not a sustainable long-term fix.
Environment
Please treat this as urgent — these are active High severity
findings affecting production workloads.