Listen to this Post
How the mentioned CVE works: The vulnerability stems from a dependency resolution flaw in aiograpi versions 0.6.6, 0.7.0, and 0.7.1. The project’s `requirements.txt` correctly specified `orjson==3.11.6` (later updated to 3.11.8), but the `setup.py` file contained a hard‑coded `requirements = […]` list that never received the same update—it remained pinned to orjson==3.11.4. When Python’s `setuptools` builds a source distribution, it reads metadata from setup.py, not from requirements.txt. Consequently, a user running `pip install aiograpi==0.6.6` (or 0.7.0/0.7.1) would actually pull and install orjson==3.11.4. This version of `orjson` is known to be vulnerable to CVE-2025-67221, which is a stack overflow in `orjson.dumps()` when processing deeply nested JSON inputs. The overflow occurs because the recursive serialization routine lacks depth limits; an attacker‑controlled nested structure (e.g., a list of lists repeated thousands of times) can exhaust the call stack and crash the Python interpreter. In the context of aiograpi, `orjson` is used to encode request bodies that aiograpi itself builds and to decode Instagram’s JSON responses. Normal usage does not expose attackercontrolled deeply nested structures. However, if an application calls `client.public_request(…)` or similar with user‑supplied payloads, or passes an aiograpi‑decoded `last_json` back into recursive serialization, the vulnerable `orjson.dumps()` may be triggered. The fix was implemented in aiograpi 0.7.2 by migrating to `pyproject.toml` (PEP 621), providing a single source of truth for dependencies, which correctly resolves orjson==3.11.8.
dailycve form:
Platform: aiograpi Python package
Version: 0.6.6 to 0.7.1
Vulnerability: Dependency pinning mismatch
Severity: Low
date: 2025-04-10
Prediction: Expected patch 2025-05-01
What Undercode Say:
Check currently installed orjson version pip show orjson | grep Version Verify aiograpi version pip show aiograpi | grep Version Force-install non-vulnerable orjson alongside affected aiograpi pip install 'aiograpi==0.7.1' 'orjson>=3.11.6' Upgrade to fixed aiograpi version pip install -U 'aiograpi>=0.7.2' Test for vulnerability with Python snippet python -c "import orjson; nested = [[[[[]]]]] 50000; orjson.dumps(nested)"
Exploit:
An attacker would need to control the JSON structure that aiograpi serializes or deserializes. For instance, if an application uses `client.public_request(endpoint, data=attacker_dict)` where `attacker_dict` contains a deeply nested list/dict, calling `orjson.dumps()` on that structure triggers unbounded recursion. A crafted payload of 10,000+ nested `[` brackets can cause a segmentation fault. Similarly, if aiograpi decodes an attacker‑supplied stream that is deeply nested, the decoding (which also uses orjson.loads()) may be vulnerable to stack overflow, though the CVE primarily affects dumps.
Protection from this CVE
- Upgrade aiograpi to version 0.7.2 or later: `pip install -U ‘aiograpi>=0.7.2’`
– If upgrade is not possible, force‑install a patched orjson: `pip install ‘orjson>=3.11.6’` after installing the vulnerable aiograpi. - Alternatively, patch `setup.py` locally to require `orjson>=3.11.6` and rebuild.
Impact
Successful exploitation leads to a stack overflow crash of the Python process, resulting in denial of service (DoS). In environments where untrusted users can supply JSON structures to aiograpi (e.g., through `public_request` or similar), an attacker could repeatedly crash the service. No remote code execution has been demonstrated, but the crash can disrupt availability. The practical impact is low because most aiograpi workflows do not expose attacker‑controlled nesting depths.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
