CVE-2024-27454 identifies a vulnerability in the orjson library, a popular high-performance JSON parsing and serialization library for Python. The issue lies in the orjson.loads function prior to version 3.9.15, which fails to impose limits on recursion depth when parsing deeply nested JSON documents. This lack of recursion control can lead to excessive stack consumption or resource exhaustion, resulting in a denial of service (DoS) condition. The vulnerability is classified under CWE-674 (Improper Control of a Resource Through a Limit Condition). The CVSS v3.1 base score is 7.5, reflecting a high severity with characteristics: low attack complexity, network attack vector, no privileges required, no user interaction needed, and impact limited to availability (no confidentiality or integrity impact). Exploitation involves sending a crafted JSON payload with excessive nesting to an application using the vulnerable orjson.loads function, causing the application to crash or become unresponsive. No patches or exploit code are currently publicly available, but the fix involves adding recursion depth limits to prevent stack overflow or resource exhaustion. This vulnerability primarily affects Python applications that rely on orjson for JSON deserialization, especially those exposed to untrusted input such as web services, APIs, or microservices.

The primary impact of CVE-2024-27454 is denial of service, where an attacker can cause applications using vulnerable orjson versions to crash or hang by sending deeply nested JSON payloads. This can disrupt availability of critical services, leading to downtime, degraded user experience, and potential cascading failures in dependent systems. Since orjson is widely used in Python environments for performance-critical JSON processing, many web applications, APIs, and backend services are at risk. The vulnerability does not affect confidentiality or integrity directly but can be leveraged as part of a broader attack chain to cause service interruptions. Organizations relying on orjson in exposed environments face increased risk of service outages, impacting business continuity and potentially leading to financial and reputational damage. The ease of exploitation and lack of required privileges or user interaction make this a significant threat, especially in cloud-native and microservice architectures where JSON parsing is frequent and often exposed to external inputs.

To mitigate CVE-2024-27454, organizations should immediately upgrade orjson to version 3.9.15 or later, where recursion limits have been implemented to prevent this vulnerability. If upgrading is not immediately feasible, implement input validation and sanitization to detect and reject JSON documents with excessive nesting depth before deserialization. Employ runtime monitoring and resource limits (such as CPU and memory quotas) on services processing JSON to detect and contain abnormal resource consumption. Consider using alternative JSON libraries with built-in recursion protections if orjson cannot be updated promptly. Additionally, apply network-level protections such as web application firewalls (WAFs) to block suspicious payloads and rate-limit requests to reduce exposure to denial of service attempts. Regularly audit dependencies and maintain an inventory of libraries to ensure timely patching of known vulnerabilities. Finally, incorporate fuzz testing and security testing focused on JSON parsing to proactively identify similar issues in development.