CVE-2024-27454 Overview
CVE-2024-27454 is an uncontrolled recursion vulnerability in orjson, a fast JSON library for Python built on the yyjson parser. The orjson.loads function in versions before 3.9.15 does not limit recursion depth when processing deeply nested JSON documents. An attacker who can submit JSON input to an application using a vulnerable version can crash the Python process by triggering stack exhaustion. The flaw is tracked under CWE-674: Uncontrolled Recursion and affects any service that deserializes untrusted JSON with orjson.
Critical Impact
Remote, unauthenticated attackers can crash Python services that parse attacker-controlled JSON using orjson.loads, producing a denial-of-service condition.
Affected Products
- ijl/orjson versions prior to 3.9.15 (Python package)
- Python applications and web services that pass untrusted JSON to orjson.loads
- Downstream frameworks and libraries that bundle vulnerable orjson releases
Discovery Timeline
- 2024-02-26 - CVE-2024-27454 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2024-27454
Vulnerability Analysis
The orjson library exposes orjson.loads as its JSON deserialization entry point. Internally, it delegates parsing to the bundled yyjson C library. In releases before 3.9.15, the vendored yyjson version did not enforce a maximum recursion depth when descending into nested arrays or objects. When the parser encounters a deeply nested document, each level of nesting consumes native stack frames. Once the stack budget is exhausted, the process receives a fatal signal and terminates. Because the parser runs in the same address space as the host Python interpreter, the entire application crashes rather than raising a catchable Python exception.
Root Cause
The root cause is the absence of a depth bound in the recursive descent JSON parser. The fix upgrades the vendored yyjson dependency from commit 5e3b26d2659287d31e2f8e10f95f95feb7e5ab3a to 0eca326fe57aeeb866e6f04c9ef9ea9f8343157e, which introduces an explicit recursion limit during parsing.
Attack Vector
Exploitation requires only the ability to deliver a crafted JSON document to a function call that invokes orjson.loads. Typical entry points include HTTP request bodies, WebSocket messages, message queue payloads, and file uploads. A payload constructed by deeply nesting opening tokens such as [[[[...]]]] or {"a":{"a":{"a":...}}} is sufficient to trigger the crash. No authentication, user interaction, or privilege is required.
# Vendored yyjson upgrade in script/vendor-yyjson that introduces the recursion limit
-yyjson_version="5e3b26d2659287d31e2f8e10f95f95feb7e5ab3a"
+yyjson_version="0eca326fe57aeeb866e6f04c9ef9ea9f8343157e"
curl -Ls -o include/yyjson/yyjson.c "https://raw.githubusercontent.com/ibireme/yyjson/${yyjson_version}/src/yyjson.c"
curl -Ls -o include/yyjson/yyjson.h "https://raw.githubusercontent.com/ibireme/yyjson/${yyjson_version}/src/yyjson.h"
Source: orjson commit b0e4d2c. This patch updates the vendored parser to a version that enforces a recursion limit, preventing stack exhaustion on nested input.
Detection Methods for CVE-2024-27454
Indicators of Compromise
- Unexpected segmentation faults or SIGSEGV signals in Python worker processes that parse JSON.
- Repeated worker restarts or 502/504 errors from web servers immediately after receiving large JSON payloads.
- Inbound requests carrying JSON bodies with abnormally long runs of [ or { characters at the start of the document.
Detection Strategies
- Inventory Python dependencies and flag any environment running orjson below version 3.9.15 using pip list or a software composition analysis (SCA) tool.
- Add request-side instrumentation that records JSON payload nesting depth and alerts on values that exceed application norms.
- Correlate web server crash logs with the timestamps of inbound JSON requests to identify exploitation attempts.
Monitoring Recommendations
- Monitor process supervisors (systemd, Gunicorn, uWSGI, Kubernetes) for elevated restart counts on services that deserialize external JSON.
- Log and alert on HTTP requests with Content-Type: application/json bodies exceeding a defined size or depth threshold at the reverse proxy or WAF.
- Track outbound JSON received from third-party APIs, since vulnerable consumers can also be crashed by upstream responses.
How to Mitigate CVE-2024-27454
Immediate Actions Required
- Upgrade orjson to version 3.9.15 or later in every Python environment, including container images, CI runners, and serverless functions.
- Rebuild and redeploy applications that pin orjson transitively through frameworks or libraries.
- Restrict accepted JSON payload sizes at the ingress layer to reduce the blast radius of malformed input.
Patch Information
The vulnerability is fixed in orjson 3.9.15. The fix is implemented in commit b0e4d2c, which upgrades the bundled yyjson parser to a release that enforces a maximum recursion depth. Release notes are available in the orjson 3.9.15 changelog, and additional analysis is published in the Monicz CVE-2024-27454 write-up and the original GitHub issue.
Workarounds
- Enforce a maximum request body size at the reverse proxy or API gateway to prevent very large nested payloads from reaching the application.
- Pre-validate JSON depth with a lightweight scanner before passing the buffer to orjson.loads, rejecting documents that exceed a safe bound.
- Isolate JSON parsing in a subprocess or worker pool with automatic restart so that a crash does not affect the parent service.
# Upgrade orjson to the patched release
pip install --upgrade "orjson>=3.9.15"
# Verify the installed version
python -c "import orjson; print(orjson.__version__)"
# Pin the minimum safe version in requirements.txt
echo 'orjson>=3.9.15' >> requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

