CVE-2025-67221
Unknown Unknown - Not Provided
Recursion Limit Bypass in orjson.dumps Causes DoS Risk

Publication date: 2026-01-22

Last updated on: 2026-02-12

Assigner: MITRE

Description
The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67221
EUVD
EUVD-2026-3806
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ijl orjson to 3.11.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67221 is a denial-of-service vulnerability in the orjson library's orjson.dumps() function (up to version 3.11.4). The function does not limit recursion when serializing deeply nested JSON documents. An attacker who can supply or influence the input data can cause uncontrolled recursion, leading to a crash or core dump during serialization. [1]

Impact Analysis

If your application uses orjson to serialize untrusted or attacker-controlled JSON data, this vulnerability can be exploited to cause a denial-of-service by crashing the serialization process. This can disrupt service availability and potentially cause application downtime. [1]

Detection Guidance

This vulnerability can be detected by testing if the orjson.dumps() function in your environment crashes or causes a core dump when serializing deeply nested JSON data. A practical detection method is to run a Python script that recursively nests dictionaries (e.g., 100 levels deep) and attempts to serialize them with orjson.dumps(). If the process crashes or core dumps, the vulnerability is present. Example detection code snippet: ```python import orjson nested = [] for i in range(100): nested = [{"level": i, "next": nested}] dumped = orjson.dumps(nested) ``` There are no specific network commands for detection since this is a library-level issue, but running this test on your system where orjson is used can confirm vulnerability presence. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the serialization of deeply nested or attacker-controlled JSON data using orjson.dumps() in affected versions (up to 3.11.4). If possible, update orjson to a version where this vulnerability is fixed. Additionally, validate and sanitize input data to prevent deeply nested structures from being processed. If updating is not immediately possible, implement application-level checks to limit JSON nesting depth before serialization to prevent triggering the uncontrolled recursion. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart