CVE-2024-27454
Denial of Service vulnerability in orjson (PyPI)
What is CVE-2024-27454 About?
This vulnerability affects orjson.loads in orjson before 3.9.15, where it fails to limit recursion for deeply nested JSON documents, leading to resource exhaustion. The impact is a denial of service due to excessive memory or CPU usage. Exploitation is relatively easy, requiring only the submission of a malicious JSON document.
Affected Software
- orjson
- <3.9.15
- <b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e
Technical Details
The orjson.loads function in orjson versions prior to 3.9.15 does not implement a depth limit for recursion when parsing deeply nested JSON structures. An attacker can craft a JSON document with an extremely high level of nested arrays or objects, such as [[[[...]]]]. When orjson.loads attempts to parse this malicious input, the recursive parsing algorithm will consume excessive amounts of system memory or CPU cycles, eventually leading to a stack overflow or out-of-memory error, effectively causing a denial of service for the application processing the JSON.
What is the Impact of CVE-2024-27454?
Successful exploitation may allow attackers to cause a denial of service by exhausting system resources (CPU or memory), leading to application unresponsiveness or crashes.
What is the Exploitability of CVE-2024-27454?
Exploitation of this vulnerability is simple, requiring only the ability to provide an application with a deeply nested JSON document. There are no authentication or specific privilege requirements; any user or system that can submit JSON input to the vulnerable orjson.loads function can trigger it. This is typically a remote exploitation scenario if the JSON input is received over a network channel, but could also be local. The primary risk factor is any application that parses untrusted JSON data using affected versions of orjson without imposing its own depth limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-27454?
Available Upgrade Options
- orjson
- <3.9.15 → Upgrade to 3.9.15
- orjson
- <b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e → Upgrade to b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ijl/orjson
- https://monicz.dev/CVE-2024-27454
- https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e
- https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915
- https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e
- https://github.com/ijl/orjson/issues/458
- https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915
- https://nvd.nist.gov/vuln/detail/CVE-2024-27454
- https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e
- https://osv.dev/vulnerability/PYSEC-2024-40
What are Similar Vulnerabilities to CVE-2024-27454?
Similar Vulnerabilities: CVE-2022-26162 , CVE-2021-39187 , CVE-2020-25659 , CVE-2020-29562 , CVE-2020-15250
