PT-2025-17447 · Amazon · Amazon.Iondotnet
Josh Coleman
·
Published
2025-04-21
·
Updated
2025-04-26
·
CVE-2025-3857
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Amazon.IonDotnet versions prior to 1.3.1
Description
The issue occurs when reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class. Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition that could potentially result in a denial of service.
Recommendations
Upgrade to Amazon.IonDotnet version 1.3.1 and ensure any forked or derivative code is patched to incorporate the new fixes.
Fix
DoS
Infinite Loop
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Amazon.Iondotnet