High severityOSV Advisory· Published Jan 22, 2026· Updated Jan 22, 2026
CVE-2025-67221
CVE-2025-67221
Description
The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
orjsonPyPI | < 3.11.6 | 3.11.6 |
Affected products
22- osv-coords21 versionspkg:apk/chainguard/authentikpkg:apk/chainguard/authentik-fipspkg:apk/chainguard/datadog-agent-7.75-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.75-core-integrationspkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/litellmpkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.13-ambassadorpkg:apk/wolfi/datadog-agent-7.75-core-integrationspkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.13-ambassadorpkg:pypi/orjsonpkg:rpm/opensuse/python-orjson&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-orjson&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-orjson&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-orjson&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2026.2.1-r4+ 20 more
- (no CPE)range: < 2026.2.1-r4
- (no CPE)range: < 2026.2.1-r3
- (no CPE)range: < 7.75.4-r2
- (no CPE)range: < 7.75.4-r2
- (no CPE)range: < 0.16.0-r11
- (no CPE)range: < 1.80.15.0-r1
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 7.75.4-r2
- (no CPE)range: < 0.16.0-r11
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 3.10.0-r24
- (no CPE)range: < 3.11.6
- (no CPE)range: < 3.10.15-160000.3.1
- (no CPE)range: < 3.11.5-1.1
- (no CPE)range: < 3.10.15-160000.3.1
- (no CPE)range: < 3.10.15-160000.3.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-hx9q-6w63-j58vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67221ghsaADVISORY
- github.com/ijl/orjson/commit/62bb185b70785ded49c79c26f8c9781f1e6fe370ghsaWEB
- github.com/ijl/orjson/issues/620ghsaWEB
- github.com/kpatsakis/CVE-2025-67221/issues/1ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/orjson/PYSEC-2026-107.yamlghsaWEB
News mentions
0No linked articles in our index yet.