CVE-2024-21907

CVSS v2.0

7.8

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Newtonsoft.Json versions prior to 13.0.1

Description The issue is related to a mishandling of exceptional conditions vulnerability in the Newtonsoft.Json library. Crafted data passed to the

JsonConvert.DeserializeObject

method may trigger a StackOverflow exception, resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition. The vulnerability can be exploited by passing highly nested JSON data, which can cause high CPU and RAM usage or a StackOverflow exception.

Recommendations To mitigate the issue, update Newtonsoft.Json to version 13.0.1 or set the

MaxDepth

parameter in the

JsonSerializerSettings

to a suitable value, such as 128, to prevent excessive nesting. This can be done globally with the following statement:

JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };

Exploit

Fix

DoS

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-755

Related Identifiers

BDU:2024-08967

CVE-2024-21907

GHSA-5CRP-9R3C-P9VR

GHSA-8RFX-6MR3-5JH3

Affected Products

Newtonsoft.Json

CVE-2024-21907

Weakness Enumeration

Related Identifiers

Affected Products

References · 47