GHSA-xf7x-x43h-rpqh: Denial of Service via Unconstrained Circular Reference Resolution in json-repair
Vulnerability ID: GHSA-XF7X-X43H-RPQH
CVSS Score: 7.5
Published: 2026-07-13
A Denial of Service vulnerability exists in the json-repair Python library due to an unconstrained loop during JSON Schema reference resolution. By submitting a circular JSON Schema, an attacker can trigger infinite recursion, causing 100 percent CPU exhaustion. Because this package is heavily utilized in LLM data-processing pipelines, this flaw presents a substantial threat to application availability.
TL;DR
Unauthenticated remote attackers can cause denial of service (100 percent CPU exhaustion) by submitting circular JSON Schema references to the json-repair parser.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-835
- Attack Vector: Network (AV:N)
- CVSS Severity: 7.5 (High)
- EPSS Score: 0.00045
- Impact: Denial of Service (CPU Exhaustion)
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- Applications utilizing python-json-repair to parse or validate schema-bounded outputs.
- Flask/FastAPI endpoints mapping POST payloads directly to the json_repair.loads schema parameter.
- Interactive playground applications showcasing LLM schema parsing techniques.
-
json-repair: < 0.60.1 (Fixed in:
0.60.1)
Exploit Details
- GitHub Advisory: Denial of Service proof of concept payload in advisory description.
Mitigation Strategies
- Upgrade to json-repair version 0.60.1 or higher.
- Sanitize and validate incoming schemas using third-party libraries before passing them to json-repair.
- Configure strict CPU time limits and worker process execution timeouts at the application gateway level.
Remediation Steps:
- Run 'pip install --upgrade json-repair' to fetch the patched version.
- Review codebases for instances of json_repair.loads() receiving user-controlled schemas.
- Enforce Gunicorn/uWSGI timeouts to terminate frozen threads automatically.
- Verify schema definitions dynamically via automated unit testing with cyclic schema validation rules.
References
- GitHub Advisory for GHSA-xf7x-x43h-rpqh
- Vulnerable Code Repository
- Official Security Advisory Release Note
- Fixed Version Release Tag
Read the full report for GHSA-XF7X-X43H-RPQH on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)