Stack Overflowing the Unoverflowable: Breaking orjson (CVE-2025-67221)
Vulnerability ID: CVE-2025-67221
CVSS Score: 7.5
Published: 2026-01-22
orjson, the self-proclaimed 'fastest, most correct' Python JSON library, met its match in a simple recursive list. CVE-2025-67221 is a critical Denial of Service vulnerability where deep recursion in orjson.dumps() triggers a stack overflow, instantly crashing the Python process. While Rust usually saves us from memory corruption, it doesn't save us from physics—specifically, the finite size of the call stack.
TL;DR
Versions of orjson <= 3.11.4 fail to limit recursion depth during serialization. An attacker can crash any Python application using orjson.dumps() by supplying a deeply nested JSON object (e.g., a list of lists of lists). The fix requires upgrading to 3.11.5+.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-674 (Uncontrolled Recursion)
- CVSS: 7.5 (High)
- Attack Vector: Network (Remote)
- Availability Impact: High (Process Crash)
- Language: Python / Rust
- Exploit Status: PoC Available
Affected Systems
- Python applications using orjson <= 3.11.4
- FastAPI applications using default orjson responses
- Data processing pipelines utilizing orjson for serialization
-
orjson: <= 3.11.4 (Fixed in:
3.11.5)
Exploit Details
- GitHub (Researcher PoC): Python script demonstrating segmentation fault via nested list serialization
Mitigation Strategies
- Upgrade
orjsonto version 3.11.5 or higher. - Implement input validation to reject excessively nested JSON structures before processing.
- Use process supervisors (like systemd, Docker, or gunicorn/uvicorn managers) to restart crashed workers automatically.
Remediation Steps:
- Run
pip install --upgrade orjson. - Verify the version with
pip show orjsonensuring it is >= 3.11.5. - Audit codebases for
orjson.dumps()calls on untrusted input.
References
Read the full report for CVE-2025-67221 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)