CVE-2024-27454
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-27454
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27454.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-27454
- Aliases
- Downstream
- Related
- Published
- 2024-02-26T16:28:00Z
- Modified
- 2025-09-19T15:31:25.683652Z
- Summary
- [none]
- Details
-
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
- References
Affected packages
Git / github.com/ijl/orjson
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ijl/orjson
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
2.*
2.0.0
2.0.1
2.0.10
2.0.11
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.3.0
2.4.0
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.6.9
3.7.0
3.7.1
3.7.10
3.7.11
3.7.12
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.7.9
3.8.0
3.8.1
3.8.10
3.8.11
3.8.12
3.8.13
3.8.14
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.8.9
3.9.0
3.9.1
3.9.10
3.9.11
3.9.12
3.9.13
3.9.14
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
3.9.7
3.9.8
3.9.9
Database specific
{
"vanir_signatures": [
{
"digest": {
"function_hash": "291336990439210803847972151107131088133",
"length": 201.0
},
"id": "CVE-2024-27454-53094a46",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "yyjson_mut_doc_free"
},
"deprecated": false
},
{
"digest": {
"function_hash": "186154536881393616078813824627451582591",
"length": 513.0
},
"id": "CVE-2024-27454-6bd66ca7",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "unsafe_yyjson_num_equals"
},
"deprecated": false
},
{
"digest": {
"function_hash": "73038188363343731307793459541701754508",
"length": 1418.0
},
"id": "CVE-2024-27454-a3b65514",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "pool_realloc"
},
"deprecated": false
},
{
"digest": {
"function_hash": "109770599930998860796919092100114210573",
"length": 1003.0
},
"id": "CVE-2024-27454-a4ae24a7",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "yyjson_mut_merge_patch"
},
"deprecated": false
},
{
"digest": {
"function_hash": "1629962620359660383248846018483621895",
"length": 187.0
},
"id": "CVE-2024-27454-a70c3ce6",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.h",
"function": "yyjson_doc_free"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"151072014178737402040579566865062613979",
"24252991186268969339292801120578033625",
"190476808598830246958025571648166849642",
"26171303150257458362588919690913131476",
"91066063360967135645864003752733609114",
"131155047654742328611757926182212527357",
"192128937373403354353641247960479671264",
"35072441809925614722747166108619896151",
"211618213134592360732891113351063976088",
"96190134605256029927726050886414725449",
"169695460044644434395865401372617783683",
"136718262649775137330550769375610710255",
"131454260207112158220577684708487059798",
"85226088499811028777551157249498676140",
"1389306516658042771112046454081781688",
"93007126250292413949167460505596045636",
"220733807210828290349016645386797783734",
"30547016265975445433295982317348873007",
"178280809670827076464859645316117578251",
"104429094833436277921833439907609636649",
"223366137663518817751947341599061321438",
"27520690594311739676841344397809730602",
"278771973958855275394037529513834385998",
"89703060654160315458317469643868134963",
"204586401507700374039370205051618916922",
"132494521543643880861807005416534544795",
"321698608438606789865321242450583250473",
"69783411315328205326659711898040803023",
"138378858874417082379907935593442860044",
"121285508944040898283193521907296300347",
"291055492614013787831956224877249641854",
"8224769022337712068690515575290221105",
"120482230977544129537172770538575378417",
"29741651447752548368972684154399506365",
"93362542092307508254133804332942156824",
"280806148781869677712719320086233025231",
"234511404223960691387055614585959663278",
"253404287506661053734328456329539809766",
"75935217981792613098612037699947038597",
"63571701761648964507379880362984831284",
"324468585294989272768274262844286945483",
"42859830916574062749620158487714887425",
"66837958146181784883223883505479941798",
"88189881741112520515314764984936319675",
"117295145169061272209392908624037921376",
"25103258604674465085922168600046739628",
"193216964637213936744062174903487872633",
"171883967302994203122934407142500980449",
"59577883469736844652325001309873532572",
"251574329408107720369161291098962896106",
"260566787239594745607618440233487077012",
"237011951183076796793680189539948064942",
"203347342873882937158685485099833381514",
"57343241606701108092754252271669774258",
"193506768774466710390949164234290176940",
"24626674706165470468076788967523553179",
"224686856950113222593640358778694449422",
"145025899346011072654226550815006803152",
"36805375167402112979959936491782766658",
"85508600818059862050130767840094938846",
"174670178248503727543824397863442748693",
"277444601334304452343645592288468059248",
"271390730493140923967179671597393889452",
"213400865094602214201384791291514998118",
"55477772246203745648924316622414952938",
"174643833165651968728350755702359754671",
"85989465752756872528796181503367185254",
"142078940463727821466704615057346330945",
"233856352182113750028278051998408154716",
"18911655145560220004634907231111940894",
"303840677043144825088424432380646996996",
"35978683046185941711649805618322660082",
"243368138412415145815795746734587763161",
"229375306028385798926498584730156511897",
"80877225103428432213690726900037423919",
"65981121165935197575597657594547002479",
"69317628237204971635603523843191484639",
"328288099310947053755468995729055532932",
"216674508512656128470569686298891376577",
"95638999314902965694559458421227744197",
"323875357356017766844659512352681822960",
"203707165597278179866095539774549463228",
"11913342284658756569521896779973759089",
"135890616631599526288495703236914727119",
"327171461760330660880004725090749343258",
"318984531874008624598372747938682277457",
"69317628237204971635603523843191484639",
"328288099310947053755468995729055532932",
"100256290194093415966970983726278727166",
"339819983657736313997079699743630462881"
]
},
"id": "CVE-2024-27454-a9ed0225",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/yyjson/yyjson.h"
},
"deprecated": false
},
{
"digest": {
"function_hash": "72255864202564116328000145120730997772",
"length": 1143.0
},
"id": "CVE-2024-27454-b29de03e",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "unsafe_yyjson_equals"
},
"deprecated": false
},
{
"digest": {
"function_hash": "165287065959091275569122475376423080215",
"length": 1172.0
},
"id": "CVE-2024-27454-c945a439",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "unsafe_yyjson_mut_equals"
},
"deprecated": false
},
{
"digest": {
"function_hash": "169270756623966942895291315371998114521",
"length": 716.0
},
"id": "CVE-2024-27454-cbc257c8",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "pool_malloc"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"241488928768973869060686104368036563455",
"149227469907681641162530794266865233393",
"148208342904495842344046584754377914975",
"173081033271364393327024327549997306515",
"24187651478014215609493135013594109818",
"332446858819352194556401784912674927448",
"248115622643411017014463744101662045076",
"12694608662650873083865978422136282107",
"230978097825430796662495843794579671197",
"275119424832836689681962854099543133936",
"140750114323637082373500486573351743479",
"20008320528468912998818611536750874812",
"77803553326404584512374891519945283562",
"300704550633020873005720811370928926665",
"326842087820217685825660516534393296098",
"336629435486321564080450600381156634920",
"336810518090160056345075684760638391091",
"119874779428381903600086844554488854940",
"327868826406737990255478171815371760261",
"2372960712054803823101567305295910339",
"62929815413602078549605497333996329611",
"298157618191185937246921967913965088323",
"3289303036019761293442751756364454649",
"270755910421970623932275174540104037864",
"60049053673598219100517917619993064547",
"73389507646893353787987083532309622951",
"18172956945277547619914312165135630965",
"18568223480261474934401227342938515355",
"83477999338446669992506267193212746072",
"288644948172868217591830991360012558984",
"186842061877855325158675694093359248232",
"17904713162459532363162990463711347487",
"318342000313070254078801317364655523115",
"12491766833886447356297650187030985543",
"300255392267631691633078835463295840835",
"326969916406971289774173364811128060945",
"318015896120068969541869939421077752475",
"205564035631591395147390668562460126464",
"124586779004716408403762583641331383127",
"16029577635793179127234378775381247650",
"217262673663677541609757491556508826226",
"128597200764434010456614000728893059102",
"199304597357779445177336182680198469655",
"257663786154525321748626251422701654228",
"325192733469662416017727292743753715311",
"232582865813897834948864073519662414421",
"92467084291192175703942607942671512081",
"27095367573584460113814568892591240939",
"206848083861276513573387047073565220589",
"147995093771741479201014054394804828533",
"171825872278704627413668243876172173791",
"206902230098017780062904993407102676574",
"83242386327488899862661367358729104001",
"256425108524168362650363836884602213650",
"324381070881086977404650917130920109290",
"144062233918343562593065077398561632070",
"99589087384867711434463308445171489133",
"138883743528109519801310653856311209535",
"197129498016761613592386061266707773680",
"202397881245139719891516257857729654668",
"41267602092535128141146843131952590479",
"297906871219172738314300122374421978959",
"182039126966709151359213749443716396090",
"258825570368581682374300191396797948437",
"13281746258490909675496669663509142552",
"89903955468477720608436642015366614468",
"316168304313259207202946101091622790211",
"314404860609969414249911110056976212145",
"113548268154523627572557180567080143117",
"234472121834188195095376559062182563612",
"128928017288290002838239072540548036881",
"271690248748977850212337410919261631645",
"258562044582816094521590421758488287802",
"102988160602765332585241309252648859447",
"136401939246120831105862097650520813876",
"154835899637749688089170024161846366205",
"149290592740796265451267232868866633149",
"251234247201349792828397208560648083991",
"248991127679546449485184922296305225323",
"305255347903738171025427394092714328799",
"229400043046323821320043472676401275431",
"254527852513865151299317291404918791337",
"164139058232365144517634397673369822858",
"9881348905041014115845709372344304512",
"72302531691023663229477368509637560735",
"105944861754104684365716484265396353646",
"34777827158027852993321296658946658411",
"214468940361424149409521595716232540664",
"105735929565354399353474068149378981507",
"14094651083065582526383864461639232052",
"18145667604279134110365788988194919635",
"34096271216240287472269685213179648818",
"248344279235788451267979463952229404921",
"121182795280111835893389910203542420267",
"217662999724426872682808377865584625969",
"131632877796517988626914365705092021067",
"72183514416223867759335124034255732710",
"116455297275407360564947513511033719032",
"97182190287575821600983669617659485085",
"201491839743831625409142208307563537738",
"290038069401355722977009237306156483568",
"180609602510514176541388583203411034943",
"40427487075949516171724174337347104342",
"166373056199316816262427645664624196104",
"247675923981275155579269533789372005309",
"127172088915242968619416220723051970782",
"169597347413639425932785040104840431171",
"138300992356270214967420765101284836369",
"175710521100249162765442936426030223290",
"79859837940437946300389507536056195099",
"211490558230190337193767676607690193879",
"145444032306598297318136551216021500852",
"238137186195655084310793167370504429013",
"115240404576987615318776088845922774986",
"74740264959228639513671557218124609754",
"295163250934104907765863530916133390047",
"309509672788684683638540999597668338430",
"269355747391773183174288010416935035948",
"235009972278436816641841618748005062207",
"107161523484576950322961056251547195690",
"20867659438962136656714176961351721553",
"28064282752919825191284290554583313675",
"234416396278193644242730177117610086855",
"29682246242118197206992534142169200926",
"136041161802603000045420940701171591812",
"325458390162106033410892658361775619939",
"277547226775600200814452998751654166954",
"113218624621515996260383885725858076129",
"291973253313504918623937591406753586163",
"105281214477513770742255342244573834081",
"232817381736605723671967452853325818605",
"111148221747383042580521756079926034638",
"51634624064913916563204476291561445136",
"196878373788087689804091290935430821880",
"145444032306598297318136551216021500852",
"238586583692998192383100667060476848044",
"40963464267258847356040104665962035988",
"59663909276308307636957910477708405383",
"295163250934104907765863530916133390047",
"309509672788684683638540999597668338430",
"269355747391773183174288010416935035948",
"308272870412561502061994904322460851662",
"107161523484576950322961056251547195690",
"20867659438962136656714176961351721553",
"28064282752919825191284290554583313675",
"234416396278193644242730177117610086855",
"29682246242118197206992534142169200926",
"136041161802603000045420940701171591812",
"325458390162106033410892658361775619939",
"277547226775600200814452998751654166954",
"113218624621515996260383885725858076129",
"291973253313504918623937591406753586163",
"105281214477513770742255342244573834081",
"232817381736605723671967452853325818605",
"111148221747383042580521756079926034638",
"51634624064913916563204476291561445136",
"196878373788087689804091290935430821880",
"145444032306598297318136551216021500852",
"238586583692998192383100667060476848044",
"40963464267258847356040104665962035988",
"59663909276308307636957910477708405383",
"66695218512419752186507124895898628958",
"145225492427573898699418714660339751298",
"299776522124579111931207718646212563796",
"168691542637108154315505909452449881621",
"320812472266523014075620996190737566036",
"302777993383963840696654131943869888587",
"264574266915845291592127552323975502490",
"305271337616841813097476245905815246105",
"135909980224751506345884537234819372058",
"214514719980480578306576488310716468113",
"56880747191710912067409454321130644206",
"40812981489275548971130673381816937604",
"66032547834059732658958764779852945968",
"309986516728504733185255467161622060142",
"284987196793595282618483368864608331860",
"183164106428581848747783655460743841769",
"22286508962769690872349881805829929895",
"28073166625539008491154203223947985587",
"44798502050623979861443399521182563878",
"104135540501795254700613121542898069161",
"33080386313454791924665786604269030002",
"325237775132221247830987390308885973285",
"278796804525984866453983599999412232041",
"156248399739456477801371587986327198027",
"228504531623084519588200812240122449584",
"174113495688744253618857136392327306889",
"118483811594972584489693487298678880924",
"307917531564815914956764288976694574133",
"157414776151782082843970611582468326643",
"241445809808774613017209456911974777640",
"66695218512419752186507124895898628958",
"254729476972503302892192065142785575603",
"139834911109144190328206814615170368411",
"23959950379951070319703131476900491880",
"316822440253979901347645414945669189448",
"118306053278059247298193590741787796057",
"167687603689578020114528559398918634209",
"253880963171081438857955947511849696049",
"283285963754981986670667316987896718814",
"299197448420435641194912314722692396787",
"233078099533497215931205465143948973115",
"206135048958013451250476773913621955026",
"316822440253979901347645414945669189448",
"29246604382726104940778350386289821818",
"171348105478297127544955999820402806596",
"320409644576277592133852237657543159845",
"66695218512419752186507124895898628958",
"13618828047508331094443612675052752072",
"71928966729850204495020335149785306873",
"133413127717154840137901803309583369512",
"316822440253979901347645414945669189448",
"118306053278059247298193590741787796057",
"167687603689578020114528559398918634209",
"47804916281902768898396642065868582435",
"283285963754981986670667316987896718814",
"254762124171431341460907270329087867212",
"339549008185724869339754263210915798446",
"140545698867636162358685402480674757169",
"316822440253979901347645414945669189448",
"29246604382726104940778350386289821818",
"171348105478297127544955999820402806596",
"64358194896643125604346589819838348445"
]
},
"id": "CVE-2024-27454-e417463e",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/yyjson/yyjson.c"
},
"deprecated": false
},
{
"digest": {
"function_hash": "143617206470948816817268669945748516579",
"length": 1139.0
},
"id": "CVE-2024-27454-ed3ea055",
"source": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "include/yyjson/yyjson.c",
"function": "yyjson_merge_patch"
},
"deprecated": false
}
]
}