CVE-2024-30105

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: .NET Core versions prior to 8.x Visual Studio versions prior to 8.x

Description: The issue is related to an uncontrolled resource consumption in the JsonSerializer.DeserializeAsyncEnumerable method of the System.Text.Json library in Microsoft .NET and Visual Studio. This can be exploited by a remote attacker to cause a denial of service. The vulnerability arises when the JsonSerializer.DeserializeAsyncEnumerable method processes untrusted input, potentially leading to resource exhaustion.

Recommendations: For .NET Core versions prior to 8.x, update to version 8.x or later to resolve the issue. For Visual Studio versions prior to 8.x, update to version 8.x or later to resolve the issue. As a temporary workaround, consider restricting the use of the JsonSerializer.DeserializeAsyncEnumerable method until a patch is available.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2024:4450

ALSA-2024:4451

ALT-PU-2024-12835

ALT-PU-2024-13115

ALT-PU-2024-16799

BDU:2024-05254

BIT-DOTNET-2024-30105

BIT-DOTNET-SDK-2024-30105

CESA-2024_4451

CVE-2024-30105

GHSA-HH2W-P6RV-4G7W

INFSA-2024_4450

INFSA-2024_4451

RHSA-2024:4450

RHSA-2024:4451

RHSA-2024_4450

RHSA-2024_4451

RLSA-2024:4450

RLSA-2024:4451

USN-6889-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Net Core

Red Hat

Red Os

Rocky Linux

System.Text.Json

Ubuntu

Visual Studio

CVE-2024-30105

Weakness Enumeration

Related Identifiers

Affected Products

References · 46