CVE-2025-67221 Overview
CVE-2025-67221 is a Resource Exhaustion vulnerability affecting the orjson Python library through version 3.11.4. The orjson.dumps function fails to implement proper recursion limits when processing deeply nested JSON documents, allowing attackers to cause a Denial of Service condition by providing specially crafted input that triggers excessive stack consumption.
Critical Impact
Applications using orjson to serialize untrusted JSON data may be vulnerable to stack exhaustion attacks, potentially causing service crashes and system unavailability.
Affected Products
- orjson versions through 3.11.4
- Python applications using affected orjson versions for JSON serialization
- Web services and APIs processing user-supplied nested JSON structures
Discovery Timeline
- 2026-01-22 - CVE CVE-2025-67221 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-67221
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The orjson library, written in Rust with Python bindings, is designed for high-performance JSON serialization and deserialization. However, the orjson.dumps function lacks adequate safeguards against processing deeply nested JSON structures.
When an attacker provides a JSON document with excessive nesting depth, the serialization process consumes stack memory proportional to the nesting level. Without recursion limits, this can exhaust available stack space, leading to a stack overflow and subsequent process termination. The vulnerability is exploitable over the network without authentication, making it particularly dangerous for public-facing web services.
Root Cause
The root cause lies in the absence of recursion depth validation in the orjson.dumps function. When processing nested objects or arrays, each level of nesting adds a new frame to the call stack. Without a configured maximum depth limit, malicious input with thousands of nested levels can rapidly consume stack memory, triggering a stack overflow condition.
Attack Vector
An attacker can exploit this vulnerability by sending a maliciously crafted JSON document with deeply nested structures to any application endpoint that processes JSON using orjson. The attack requires no authentication and can be executed remotely over the network. Common attack scenarios include:
- Submitting nested JSON payloads to REST API endpoints
- Providing crafted input to web services that serialize user data
- Exploiting message queue consumers that process JSON messages
The vulnerability mechanism involves creating JSON objects or arrays nested to extreme depths (potentially thousands of levels). When orjson.dumps attempts to serialize such structures, the recursive processing exhausts available stack space. For detailed technical analysis, refer to the GitHub Orjson Vulnerability Report.
Detection Methods for CVE-2025-67221
Indicators of Compromise
- Sudden application crashes with stack overflow errors in orjson-related code paths
- Unexpected process terminations in services processing JSON data
- Error logs showing recursion depth exceeded or stack exhaustion messages
- Memory allocation failures preceding service unavailability
Detection Strategies
- Monitor application logs for stack overflow or recursion-related error messages
- Implement input validation to check JSON nesting depth before processing
- Deploy application performance monitoring to detect unusual memory consumption patterns
- Use SentinelOne Singularity to detect anomalous process behavior and crash patterns
Monitoring Recommendations
- Set up alerting for service restarts and crash events in JSON processing components
- Monitor stack memory usage in applications using orjson
- Track request patterns for unusually large or deeply nested JSON payloads
- Implement logging at API gateways to capture and analyze suspicious JSON structures
How to Mitigate CVE-2025-67221
Immediate Actions Required
- Audit all applications using orjson to identify vulnerable deployments
- Implement input validation to reject JSON documents exceeding a safe nesting depth
- Consider deploying a web application firewall (WAF) rule to limit JSON nesting depth
- Monitor for updates from the orjson maintainers and apply patches when available
Patch Information
At the time of publication, users should monitor the GitHub Repository for Orjson for security updates and patched releases. Organizations should subscribe to security advisories and apply updates promptly once available.
Workarounds
- Implement a pre-processing validation layer that checks JSON nesting depth before passing data to orjson
- Set process-level stack size limits to prevent complete system resource exhaustion
- Consider using alternative JSON libraries with built-in recursion limits for untrusted input
- Deploy rate limiting on endpoints processing JSON to reduce attack surface
# Example: Implementing JSON depth validation before orjson processing
# Add this validation layer to reject deeply nested JSON documents
python -c "
import json
def validate_json_depth(obj, max_depth=50, current_depth=0):
if current_depth > max_depth:
raise ValueError('JSON nesting depth exceeds maximum allowed')
if isinstance(obj, dict):
for value in obj.values():
validate_json_depth(value, max_depth, current_depth + 1)
elif isinstance(obj, list):
for item in obj:
validate_json_depth(item, max_depth, current_depth + 1)
return True
"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
