You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@b-per we limit the version because there's a buffer overrun bug introduced to orjson that makes bigger loads to segfault. and it is probably exploitable.
the CVE looks like more DDOS, stack overflow should not be easily exploitable so we probably keep it until they really fix the above.
The PR log does not look promising (already 3 PRs that failed to fix the bug:
dlt version
0.4.4
Describe the problem
"orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents" (dependabot link)
But dlt 0.4.4 pins
orjson
to "<=3.9.10" so we can't upgradeorjson
to the fixExpected behavior
dlt
doesn't pinorjson
to "<=3.9.10" and we can updateorjson
to the new version with the fixSteps to reproduce
N/A
Operating system
macOS
Runtime environment
Local
Python version
3.11
dlt data source
No response
dlt destination
No response
Other deployment details
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: