CVE-2024-27454
📋 TL;DR
CVE-2024-27454 is a vulnerability in orjson's loads function that fails to limit recursion depth when parsing deeply nested JSON documents. This allows attackers to cause denial of service (DoS) by crashing the application through stack exhaustion. Any application using vulnerable versions of orjson to parse untrusted JSON data is affected.
💻 Affected Systems
- orjson
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash leading to denial of service, potentially affecting availability of dependent services.
Likely Case
Application crashes when processing malicious JSON payloads, causing temporary service disruption.
If Mitigated
No impact if JSON input is validated or comes from trusted sources only.
🎯 Exploit Status
Exploitation requires sending a specially crafted JSON document with deep nesting. Proof of concept is available in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.15
Vendor Advisory: https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915
Restart Required: No
Instructions:
1. Update orjson package using pip: pip install --upgrade orjson>=3.9.15
2. Verify the update with: pip show orjson
3. No application restart needed for Python package updates.
🔧 Temporary Workarounds
Input validation and depth limiting
allValidate JSON input depth before passing to orjson.loads()
# Python example:
import json
import sys
def safe_loads(json_str, max_depth=1000):
parsed = json.loads(json_str)
# Check depth of parsed structure
def check_depth(obj, current=0):
if current > max_depth:
raise ValueError('JSON nesting too deep')
if isinstance(obj, dict):
for v in obj.values():
check_depth(v, current+1)
elif isinstance(obj, list):
for v in obj:
check_depth(v, current+1)
check_depth(parsed)
return parsed
🧯 If You Can't Patch
- Implement strict input validation to reject JSON documents with excessive nesting depth
- Use alternative JSON parsers with recursion limits for untrusted input
🔍 How to Verify
Check if Vulnerable:
Check orjson version: python -c "import orjson; print(orjson.__version__)" and compare with 3.9.15Check Version:
python -c "import orjson; print('orjson version:', orjson.__version__)"Verify Fix Applied:
Test with a deeply nested JSON document to ensure it raises an exception instead of crashing📡 Detection & Monitoring
Log Indicators:
- Application crashes with stack overflow errors
- High memory usage spikes during JSON parsing
- Python interpreter segmentation faults
Network Indicators:
- Large JSON payloads with repeated nesting patterns
- Multiple failed requests to JSON endpoints
SIEM Query:
source="application.logs" AND ("stack overflow" OR "segmentation fault" OR "RecursionError") AND process="python"🔗 References
- https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915
- https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e
- https://github.com/ijl/orjson/issues/458
- https://monicz.dev/CVE-2024-27454
- https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915
- https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e
- https://github.com/ijl/orjson/issues/458
- https://monicz.dev/CVE-2024-27454
