Arnab Phani

**Name of the Vulnerable Software and Affected Versions** SystemDS versions prior to 2.2.1 **Description** The termination condition of the for loop in the `readExternal` method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. SystemDS is a distributed system and needs to serialize/deserialize data, but in many code paths, the byte stream is protected by additional CRC fingerprints. The number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner. **Recommendations** For versions prior to 2.2.1, update to a version higher than 2.2.1 to apply the fix that adds an upper bound and termination condition in the read and write logic, improving robustness with almost zero overhead.