{"id":"CVE-2024-27454","details":"orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.","aliases":["GHSA-pwr2-4v36-6qpr","PYSEC-2024-40"],"modified":"2026-04-12T10:25:03.870113Z","published":"2024-02-26T16:28:00.530Z","related":["CGA-7392-q5p3-5qxq","openSUSE-SU-2024:13735-1","openSUSE-SU-2024:13780-1"],"references":[{"type":"WEB","url":"https://monicz.dev/CVE-2024-27454"},{"type":"ADVISORY","url":"https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915"},{"type":"REPORT","url":"https://github.com/ijl/orjson/issues/458"},{"type":"FIX","url":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ijl/orjson","events":[{"introduced":"0"},{"fixed":"a348f59f0b55d92a1364523560f52f5b3cf9c12a"},{"fixed":"b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.9.15"}]}}],"versions":["1.0.0","1.0.1","1.1.0","1.2.0","1.2.1","1.3.0","1.3.1","2.0.0","2.0.1","2.0.10","2.0.11","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.2.0","2.2.1","2.2.2","2.3.0","2.4.0","2.5.0","2.5.1","2.5.2","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","3.0.0","3.0.1","3.0.2","3.1.0","3.1.1","3.1.2","3.2.0","3.2.1","3.2.2","3.3.0","3.3.1","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.4.5","3.4.6","3.4.7","3.4.8","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.6.0","3.6.1","3.6.2","3.6.3","3.6.4","3.6.5","3.6.6","3.6.7","3.6.8","3.6.9","3.7.0","3.7.1","3.7.10","3.7.11","3.7.12","3.7.2","3.7.3","3.7.4","3.7.5","3.7.6","3.7.7","3.7.8","3.7.9","3.8.0","3.8.1","3.8.10","3.8.11","3.8.12","3.8.13","3.8.14","3.8.2","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.8","3.8.9","3.9.0","3.9.1","3.9.10","3.9.11","3.9.12","3.9.13","3.9.14","3.9.2","3.9.3","3.9.4","3.9.5","3.9.6","3.9.7","3.9.8","3.9.9"],"database_specific":{"vanir_signatures":[{"target":{"function":"yyjson_mut_doc_free","file":"include/yyjson/yyjson.c"},"digest":{"length":201,"function_hash":"291336990439210803847972151107131088133"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-53094a46","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"function":"unsafe_yyjson_num_equals","file":"include/yyjson/yyjson.c"},"digest":{"length":513,"function_hash":"186154536881393616078813824627451582591"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-6bd66ca7","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"function":"pool_realloc","file":"include/yyjson/yyjson.c"},"digest":{"length":1418,"function_hash":"73038188363343731307793459541701754508"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-a3b65514","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"function":"yyjson_mut_merge_patch","file":"include/yyjson/yyjson.c"},"digest":{"length":1003,"function_hash":"109770599930998860796919092100114210573"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-a4ae24a7","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"function":"yyjson_doc_free","file":"include/yyjson/yyjson.h"},"digest":{"length":187,"function_hash":"1629962620359660383248846018483621895"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-a70c3ce6","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"file":"include/yyjson/yyjson.h"},"digest":{"threshold":0.9,"line_hashes":["151072014178737402040579566865062613979","24252991186268969339292801120578033625","190476808598830246958025571648166849642","26171303150257458362588919690913131476","91066063360967135645864003752733609114","131155047654742328611757926182212527357","192128937373403354353641247960479671264","35072441809925614722747166108619896151","211618213134592360732891113351063976088","96190134605256029927726050886414725449","169695460044644434395865401372617783683","136718262649775137330550769375610710255","131454260207112158220577684708487059798","85226088499811028777551157249498676140","1389306516658042771112046454081781688","93007126250292413949167460505596045636","220733807210828290349016645386797783734","30547016265975445433295982317348873007","178280809670827076464859645316117578251","104429094833436277921833439907609636649","223366137663518817751947341599061321438","27520690594311739676841344397809730602","278771973958855275394037529513834385998","89703060654160315458317469643868134963","204586401507700374039370205051618916922","132494521543643880861807005416534544795","321698608438606789865321242450583250473","69783411315328205326659711898040803023","138378858874417082379907935593442860044","121285508944040898283193521907296300347","291055492614013787831956224877249641854","8224769022337712068690515575290221105","120482230977544129537172770538575378417","29741651447752548368972684154399506365","93362542092307508254133804332942156824","280806148781869677712719320086233025231","234511404223960691387055614585959663278","253404287506661053734328456329539809766","75935217981792613098612037699947038597","63571701761648964507379880362984831284","324468585294989272768274262844286945483","42859830916574062749620158487714887425","66837958146181784883223883505479941798","88189881741112520515314764984936319675","117295145169061272209392908624037921376","25103258604674465085922168600046739628","193216964637213936744062174903487872633","171883967302994203122934407142500980449","59577883469736844652325001309873532572","251574329408107720369161291098962896106","260566787239594745607618440233487077012","237011951183076796793680189539948064942","203347342873882937158685485099833381514","57343241606701108092754252271669774258","193506768774466710390949164234290176940","24626674706165470468076788967523553179","224686856950113222593640358778694449422","145025899346011072654226550815006803152","36805375167402112979959936491782766658","85508600818059862050130767840094938846","174670178248503727543824397863442748693","277444601334304452343645592288468059248","271390730493140923967179671597393889452","213400865094602214201384791291514998118","55477772246203745648924316622414952938","174643833165651968728350755702359754671","85989465752756872528796181503367185254","142078940463727821466704615057346330945","233856352182113750028278051998408154716","18911655145560220004634907231111940894","303840677043144825088424432380646996996","35978683046185941711649805618322660082","243368138412415145815795746734587763161","229375306028385798926498584730156511897","80877225103428432213690726900037423919","65981121165935197575597657594547002479","69317628237204971635603523843191484639","328288099310947053755468995729055532932","216674508512656128470569686298891376577","95638999314902965694559458421227744197","323875357356017766844659512352681822960","203707165597278179866095539774549463228","11913342284658756569521896779973759089","135890616631599526288495703236914727119","327171461760330660880004725090749343258","318984531874008624598372747938682277457","69317628237204971635603523843191484639","328288099310947053755468995729055532932","100256290194093415966970983726278727166","339819983657736313997079699743630462881"]},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-a9ed0225","signature_version":"v1","signature_type":"Line","deprecated":false},{"target":{"function":"unsafe_yyjson_equals","file":"include/yyjson/yyjson.c"},"digest":{"length":1143,"function_hash":"72255864202564116328000145120730997772"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-b29de03e","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"function":"unsafe_yyjson_mut_equals","file":"include/yyjson/yyjson.c"},"digest":{"length":1172,"function_hash":"165287065959091275569122475376423080215"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-c945a439","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"function":"pool_malloc","file":"include/yyjson/yyjson.c"},"digest":{"length":716,"function_hash":"169270756623966942895291315371998114521"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-cbc257c8","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"file":"include/yyjson/yyjson.c"},"digest":{"threshold":0.9,"line_hashes":["241488928768973869060686104368036563455","149227469907681641162530794266865233393","148208342904495842344046584754377914975","173081033271364393327024327549997306515","24187651478014215609493135013594109818","332446858819352194556401784912674927448","248115622643411017014463744101662045076","12694608662650873083865978422136282107","230978097825430796662495843794579671197","275119424832836689681962854099543133936","140750114323637082373500486573351743479","20008320528468912998818611536750874812","77803553326404584512374891519945283562","300704550633020873005720811370928926665","326842087820217685825660516534393296098","336629435486321564080450600381156634920","336810518090160056345075684760638391091","119874779428381903600086844554488854940","327868826406737990255478171815371760261","2372960712054803823101567305295910339","62929815413602078549605497333996329611","298157618191185937246921967913965088323","3289303036019761293442751756364454649","270755910421970623932275174540104037864","60049053673598219100517917619993064547","73389507646893353787987083532309622951","18172956945277547619914312165135630965","18568223480261474934401227342938515355","83477999338446669992506267193212746072","288644948172868217591830991360012558984","186842061877855325158675694093359248232","17904713162459532363162990463711347487","318342000313070254078801317364655523115","12491766833886447356297650187030985543","300255392267631691633078835463295840835","326969916406971289774173364811128060945","318015896120068969541869939421077752475","205564035631591395147390668562460126464","124586779004716408403762583641331383127","16029577635793179127234378775381247650","217262673663677541609757491556508826226","128597200764434010456614000728893059102","199304597357779445177336182680198469655","257663786154525321748626251422701654228","325192733469662416017727292743753715311","232582865813897834948864073519662414421","92467084291192175703942607942671512081","27095367573584460113814568892591240939","206848083861276513573387047073565220589","147995093771741479201014054394804828533","171825872278704627413668243876172173791","206902230098017780062904993407102676574","83242386327488899862661367358729104001","256425108524168362650363836884602213650","324381070881086977404650917130920109290","144062233918343562593065077398561632070","99589087384867711434463308445171489133","138883743528109519801310653856311209535","197129498016761613592386061266707773680","202397881245139719891516257857729654668","41267602092535128141146843131952590479","297906871219172738314300122374421978959","182039126966709151359213749443716396090","258825570368581682374300191396797948437","13281746258490909675496669663509142552","89903955468477720608436642015366614468","316168304313259207202946101091622790211","314404860609969414249911110056976212145","113548268154523627572557180567080143117","234472121834188195095376559062182563612","128928017288290002838239072540548036881","271690248748977850212337410919261631645","258562044582816094521590421758488287802","102988160602765332585241309252648859447","136401939246120831105862097650520813876","154835899637749688089170024161846366205","149290592740796265451267232868866633149","251234247201349792828397208560648083991","248991127679546449485184922296305225323","305255347903738171025427394092714328799","229400043046323821320043472676401275431","254527852513865151299317291404918791337","164139058232365144517634397673369822858","9881348905041014115845709372344304512","72302531691023663229477368509637560735","105944861754104684365716484265396353646","34777827158027852993321296658946658411","214468940361424149409521595716232540664","105735929565354399353474068149378981507","14094651083065582526383864461639232052","18145667604279134110365788988194919635","34096271216240287472269685213179648818","248344279235788451267979463952229404921","121182795280111835893389910203542420267","217662999724426872682808377865584625969","131632877796517988626914365705092021067","72183514416223867759335124034255732710","116455297275407360564947513511033719032","97182190287575821600983669617659485085","201491839743831625409142208307563537738","290038069401355722977009237306156483568","180609602510514176541388583203411034943","40427487075949516171724174337347104342","166373056199316816262427645664624196104","247675923981275155579269533789372005309","127172088915242968619416220723051970782","169597347413639425932785040104840431171","138300992356270214967420765101284836369","175710521100249162765442936426030223290","79859837940437946300389507536056195099","211490558230190337193767676607690193879","145444032306598297318136551216021500852","238137186195655084310793167370504429013","115240404576987615318776088845922774986","74740264959228639513671557218124609754","295163250934104907765863530916133390047","309509672788684683638540999597668338430","269355747391773183174288010416935035948","235009972278436816641841618748005062207","107161523484576950322961056251547195690","20867659438962136656714176961351721553","28064282752919825191284290554583313675","234416396278193644242730177117610086855","29682246242118197206992534142169200926","136041161802603000045420940701171591812","325458390162106033410892658361775619939","277547226775600200814452998751654166954","113218624621515996260383885725858076129","291973253313504918623937591406753586163","105281214477513770742255342244573834081","232817381736605723671967452853325818605","111148221747383042580521756079926034638","51634624064913916563204476291561445136","196878373788087689804091290935430821880","145444032306598297318136551216021500852","238586583692998192383100667060476848044","40963464267258847356040104665962035988","59663909276308307636957910477708405383","295163250934104907765863530916133390047","309509672788684683638540999597668338430","269355747391773183174288010416935035948","308272870412561502061994904322460851662","107161523484576950322961056251547195690","20867659438962136656714176961351721553","28064282752919825191284290554583313675","234416396278193644242730177117610086855","29682246242118197206992534142169200926","136041161802603000045420940701171591812","325458390162106033410892658361775619939","277547226775600200814452998751654166954","113218624621515996260383885725858076129","291973253313504918623937591406753586163","105281214477513770742255342244573834081","232817381736605723671967452853325818605","111148221747383042580521756079926034638","51634624064913916563204476291561445136","196878373788087689804091290935430821880","145444032306598297318136551216021500852","238586583692998192383100667060476848044","40963464267258847356040104665962035988","59663909276308307636957910477708405383","66695218512419752186507124895898628958","145225492427573898699418714660339751298","299776522124579111931207718646212563796","168691542637108154315505909452449881621","320812472266523014075620996190737566036","302777993383963840696654131943869888587","264574266915845291592127552323975502490","305271337616841813097476245905815246105","135909980224751506345884537234819372058","214514719980480578306576488310716468113","56880747191710912067409454321130644206","40812981489275548971130673381816937604","66032547834059732658958764779852945968","309986516728504733185255467161622060142","284987196793595282618483368864608331860","183164106428581848747783655460743841769","22286508962769690872349881805829929895","28073166625539008491154203223947985587","44798502050623979861443399521182563878","104135540501795254700613121542898069161","33080386313454791924665786604269030002","325237775132221247830987390308885973285","278796804525984866453983599999412232041","156248399739456477801371587986327198027","228504531623084519588200812240122449584","174113495688744253618857136392327306889","118483811594972584489693487298678880924","307917531564815914956764288976694574133","157414776151782082843970611582468326643","241445809808774613017209456911974777640","66695218512419752186507124895898628958","254729476972503302892192065142785575603","139834911109144190328206814615170368411","23959950379951070319703131476900491880","316822440253979901347645414945669189448","118306053278059247298193590741787796057","167687603689578020114528559398918634209","253880963171081438857955947511849696049","283285963754981986670667316987896718814","299197448420435641194912314722692396787","233078099533497215931205465143948973115","206135048958013451250476773913621955026","316822440253979901347645414945669189448","29246604382726104940778350386289821818","171348105478297127544955999820402806596","320409644576277592133852237657543159845","66695218512419752186507124895898628958","13618828047508331094443612675052752072","71928966729850204495020335149785306873","133413127717154840137901803309583369512","316822440253979901347645414945669189448","118306053278059247298193590741787796057","167687603689578020114528559398918634209","47804916281902768898396642065868582435","283285963754981986670667316987896718814","254762124171431341460907270329087867212","339549008185724869339754263210915798446","140545698867636162358685402480674757169","316822440253979901347645414945669189448","29246604382726104940778350386289821818","171348105478297127544955999820402806596","64358194896643125604346589819838348445"]},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-e417463e","signature_version":"v1","signature_type":"Line","deprecated":false},{"target":{"function":"yyjson_merge_patch","file":"include/yyjson/yyjson.c"},"digest":{"length":1139,"function_hash":"143617206470948816817268669945748516579"},"source":"https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e","id":"CVE-2024-27454-ed3ea055","signature_version":"v1","signature_type":"Function","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27454.json","vanir_signatures_modified":"2026-04-12T10:25:03Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}