CVE-2025-67221
Recursion Limit Bypass in orjson.dumps Causes DoS Risk
Publication date: 2026-01-22
Last updated on: 2026-02-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ijl | orjson | to 3.11.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67221 is a denial-of-service vulnerability in the orjson library's orjson.dumps() function (up to version 3.11.4). The function does not limit recursion when serializing deeply nested JSON documents. An attacker who can supply or influence the input data can cause uncontrolled recursion, leading to a crash or core dump during serialization. [1]
How can this vulnerability impact me? :
If your application uses orjson to serialize untrusted or attacker-controlled JSON data, this vulnerability can be exploited to cause a denial-of-service by crashing the serialization process. This can disrupt service availability and potentially cause application downtime. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the orjson.dumps() function in your environment crashes or causes a core dump when serializing deeply nested JSON data. A practical detection method is to run a Python script that recursively nests dictionaries (e.g., 100 levels deep) and attempts to serialize them with orjson.dumps(). If the process crashes or core dumps, the vulnerability is present. Example detection code snippet: ```python import orjson nested = [] for i in range(100): nested = [{"level": i, "next": nested}] dumped = orjson.dumps(nested) ``` There are no specific network commands for detection since this is a library-level issue, but running this test on your system where orjson is used can confirm vulnerability presence. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the serialization of deeply nested or attacker-controlled JSON data using orjson.dumps() in affected versions (up to 3.11.4). If possible, update orjson to a version where this vulnerability is fixed. Additionally, validate and sanitize input data to prevent deeply nested structures from being processed. If updating is not immediately possible, implement application-level checks to limit JSON nesting depth before serialization to prevent triggering the uncontrolled recursion. [1]