CVE-2025-67221 – CVE-2025-67221 is a denial-of-service vulnerabi... (How to Fix)

📋 TL;DR

CVE-2025-67221 is a denial-of-service vulnerability in orjson's dumps function that allows attackers to crash applications by providing deeply nested JSON documents that cause unbounded recursion. This affects any Python application using orjson for JSON serialization. The vulnerability can lead to service disruption and resource exhaustion.

💻 Affected Systems

Products:

orjson

Versions: All versions through 3.11.4

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the dumps function when processing deeply nested JSON structures. Applications using orjson for JSON serialization are vulnerable regardless of configuration.

📦 What is this software?

Orjson by Ijl

View all CVEs affecting Orjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through application crashes, potential memory exhaustion leading to system instability, and denial-of-service affecting all users.

🟠

Likely Case

Application crashes or hangs when processing malicious JSON input, causing temporary service disruption for affected endpoints.

🟢

If Mitigated

Limited impact with proper input validation and recursion limits in place, potentially causing only isolated request failures.

🌐 Internet-Facing: HIGH - Any endpoint accepting JSON input from untrusted sources is vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal APIs and services could be affected by malicious internal actors or compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted JSON with deep nesting to endpoints using orjson.dumps. No authentication needed if vulnerable endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11.5 and later

Vendor Advisory: https://github.com/ijl/orjson/security/advisories

Restart Required: Yes

Instructions:

1. Update orjson to version 3.11.5 or later using pip: pip install --upgrade orjson>=3.11.5
2. Restart all Python applications using orjson
3. Verify the update was successful

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap orjson.dumps calls with custom validation to limit recursion depth before serialization

def safe_dumps(obj, max_depth=1000):
    # Add recursion depth checking logic
    # Then call orjson.dumps if depth is safe

Rate limiting

all

Implement rate limiting on JSON processing endpoints to limit impact of DoS attempts

🧯 If You Can't Patch

Implement WAF rules to block JSON payloads with excessive nesting depth
Use alternative JSON libraries like json or ujson for critical endpoints

🔍 How to Verify

Check if Vulnerable:

Check orjson version: python -c "import orjson; print(orjson.__version__)" and verify if <= 3.11.4

Check Version:

python -c "import orjson; print('Version:', orjson.__version__)"

Verify Fix Applied:

Test with a deeply nested JSON structure (1000+ levels) to ensure application doesn't crash

📡 Detection & Monitoring

Log Indicators:

Application crashes or restarts after processing JSON
High memory usage spikes
Stack overflow errors in logs

Network Indicators:

Large JSON payloads with repeated nesting patterns
Multiple rapid requests to JSON endpoints

SIEM Query:

source="application.logs" AND ("RecursionError" OR "stack overflow" OR "orjson") AND "dumps"

📊 Metadata

CVE ID: CVE-2025-67221

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: January 22, 2026

Last Updated: February 12, 2026

🔗 References

https://github.com/ijl/orjson Product
https://github.com/kpatsakis/orjson_vulnerability Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67221, you might also want to check these: