High severityNVD Advisory· Published Feb 26, 2024· Updated Aug 2, 2024
CVE-2024-27454
CVE-2024-27454
Description
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
orjsonPyPI | < 3.9.15 | 3.9.15 |
Affected products
16- orjson/orjsondescription
- osv-coords15 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/py3.10-orjsonpkg:apk/chainguard/py3.11-orjsonpkg:apk/chainguard/py3.12-orjsonpkg:apk/chainguard/py3.13-orjsonpkg:apk/chainguard/py3-orjsonpkg:apk/chainguard/py3-supported-orjsonpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/py3.10-orjsonpkg:apk/wolfi/py3.11-orjsonpkg:apk/wolfi/py3.12-orjsonpkg:apk/wolfi/py3.13-orjsonpkg:apk/wolfi/py3-orjsonpkg:apk/wolfi/py3-supported-orjsonpkg:pypi/orjson
< 2.2.0-r0+ 14 more
- (no CPE)range: < 2.2.0-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 2.2.0-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15-r0
- (no CPE)range: < 3.9.15
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-pwr2-4v36-6qprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27454ghsaADVISORY
- github.com/ijl/orjson/blob/master/CHANGELOG.mdghsaWEB
- github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845eghsaWEB
- github.com/ijl/orjson/issues/458ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/orjson/PYSEC-2024-40.yamlghsaWEB
- monicz.dev/CVE-2024-27454ghsaWEB
News mentions
0No linked articles in our index yet.