CVE-2025-67221: orjson does not limit recursion for deeply nested JSON documents
(updated )
The orjson.dumps function in orjson before 3.11.6 does not limit recursion for deeply nested JSON documents.
References
- github.com/advisories/GHSA-hx9q-6w63-j58v
- github.com/ijl/orjson
- github.com/ijl/orjson/commit/62bb185b70785ded49c79c26f8c9781f1e6fe370
- github.com/ijl/orjson/issues/620
- github.com/kpatsakis/CVE-2025-67221/issues/1
- github.com/kpatsakis/orjson_vulnerability
- github.com/pypa/advisory-database/tree/main/vulns/orjson/PYSEC-2026-107.yaml
- nvd.nist.gov/vuln/detail/CVE-2025-67221
Code Behaviors & Features
Detect and mitigate CVE-2025-67221 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →