orjson does not limit recursion for deeply nested JSON documents

The orjson.dumps function in orjson before 3.11.6 does not limit recursion for deeply nested JSON documents...

PYSEC-2026-107

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents...

Orjson security vulnerabilities

orjson is a fast and accurate Python JSON library developed by ijl’s individual developers. Versions of orjson prior to 3.11.4 have security vulnerabilities, which stem from the orjson.dumps function not properly restricting recursion for deeply nested JSON documents...

CVE-2025-67221

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents...

PT-2026-3955

Name of the Vulnerable Software and Affected Versions orjson versions through 3.11.4 Description The orjson.dumps function does not limit recursion when processing deeply nested JSON documents. This can lead to a denial of service. Recommendations Update to a version of orjson newer than 3.11.4...

CVE-2025-67221

CVE-2025-67221 concerns the orjson library: the orjson.dumps function in orjson up to version 3.11.4 fails to limit recursion for deeply nested JSON documents. The vulnerability is described across multiple sources (Red Hat, NVD, OSV, etc.), consistently stating that deeply nested JSON can trigge...

CVE-2025-67221

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents...

CVE-2025-67221

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents...

CVE-2025-67221

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents...

Security Bulletin: IBM Datapower Operations Dashboard could allow a remote attacker to cause a denial of service CVE-2025-53864

Summary Connect2id Nimbus JOSE + JWT is used by the IBM Datapower Operations Dashboard for Javascript Object Signing and Encryption Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause ...

EUVD-2020-30164

Malware in sbrugna...

EUVD-2024-54825

Malicious code in bioql PyPI...

EUVD-2021-29677

Malicious code in bioql PyPI...

EUVD-2025-21099

Malicious code in bioql PyPI...

express-xss-sanitizer has an unbounded recursion depth

Security Advisory: express-xss-sanitizer Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion depth during sanitization of nested objects. Affected Versions - All versions prior to 2.0.1 Patched Versions - 2.0.1 and later Description The sanitize...

Denial Of Service (DoS)

llamaindexcore is vulnerable to Denial of Service DoS. The vulnerability is due to uncontrolled recursion when parsing deeply nested JSON files, which allows an attacker to cause high resource consumption and potential crashes of the Python process...

CVE-2025-5302 Denial of Service (DOS) in JSONReader in run-llama/llama_index

A denial of service vulnerability exists in the JSONReader component of the run-llama/llamaindex repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth...

CVE-2024-58264

The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data...

CVE-2024-58264

The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data...

CVE-2024-58264

The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data...