Unbounded Recursion in Deserialization

[DavidBuchanan314]

orjson does not limit its maximum recursion depth during deserialisation, so deserialising very deeply nested objects will overflow the native call stack. On my system (Fedora 39, aarch64), this results in a segfault. Python's native json module handles this slightly more gracefully.

import json
import orjson

nested = b"["*10000000 + b"]"*10000000

try:
    json.loads(nested)
except RecursionError:
    print("RecursionError")  # handled gracefully

try:
    orjson.loads(nested)  # Segmentation fault (core dumped)
except RecursionError:
    print("RecursionError")

orjson.dumps() also appears to handle recursion limits gracefully, throwing TypeError: Recursion limit reached (it would be nice if it threw a RecursionError, though).

[Zaczero]

I believe this is a high severity security issue (denial of service). The attack complexity is low, and the vector is network. Any application parsing untrusted user input would be vulnerable to it. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1

In my case it's enough that the message size is of 2MB (b'[' * 1000000 + b']' * 1000000).

Given the popularity of this project, I would recommend the maintainers set up a security policy to allow for safe disclosure of similar issues in the future. https://github.com/ijl/orjson/security

[ijl]

3.9.15

[Zaczero]

This issue has been assigned CVE-2024-27454.
I have prepared a blog post talking about the vulnerability:
https://monicz.dev/CVE-2024-27454

Thank you DavidBuchanan314 for the report 🙂.