BIT-dotnet-sdk-2024-43485
Denial of Service vulnerability in System.Text.Json (NuGet)
What is BIT-dotnet-sdk-2024-43485 About?
This is a Denial of Service vulnerability in `System.Text.Json` (versions 6.0.x and 8.0.x) when deserializing input with `[JsonExtensionData]` properties. An attacker can craft malicious JSON input to trigger an algorithmic complexity attack, leading to high CPU usage. This makes the application unresponsive, causing a denial of service.
Affected Software
- System.Text.Json
- >8.0.0, <8.0.5
- >6.0.0, <6.0.10
Technical Details
The vulnerability resides in the System.Text.Json library, specifically in how it handles deserialization to models containing an [JsonExtensionData] property. When an application attempts to deserialize a specially crafted JSON input that leverages this feature, the underlying algorithm used to process the extension data can exhibit an algorithmic complexity attack. This means that a relatively small increase in the input size or complexity can lead to a disproportionately large increase in processing time and CPU consumption, effectively causing the application to become unresponsive or consume excessive resources, thereby leading to a Denial of Service. This behavior is mitigated if [JsonExtensionData] is not used.
What is the Impact of BIT-dotnet-sdk-2024-43485?
Successful exploitation may allow attackers to make the affected application unresponsive or crash due to excessive resource consumption, leading to a temporary unavailability of services.
What is the Exploitability of BIT-dotnet-sdk-2024-43485?
Exploitation of this vulnerability involves crafting a malicious JSON input that takes advantage of the algorithmic complexity issue in System.Text.Json when deserializing to models with [JsonExtensionData]. The complexity level is moderate, as it requires specific knowledge of the JSON structure and how JsonExtensionData is processed to trigger the resource exhaustion. No authentication or specific privileges are typically required, as the attack relies on submitting malformed input that the application is expected to process. This vulnerability can be exploited remotely if the application accepts and deserializes untrusted JSON input from external sources. The primary pre-condition is the use of System.Text.Json versions 6.0.x (up to 6.0.9) or 8.0.x (up to 8.0.4) in an application that deserializes JSON to a model containing the [JsonExtensionData] attribute. Applications that expose JSON deserialization endpoints and handle untrusted input are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-dotnet-sdk-2024-43485?
Available Upgrade Options
- System.Text.Json
- >6.0.0, <6.0.10 → Upgrade to 6.0.10
- System.Text.Json
- >8.0.0, <8.0.5 → Upgrade to 8.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-43485
- https://github.com/dotnet/runtime/issues/108678
- https://github.com/dotnet/announcements/issues/329
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485
- https://github.com/dotnet/runtime/security/advisories/GHSA-8g4q-xg66-9fp4
- https://github.com/dotnet/runtime
- https://osv.dev/vulnerability/GHSA-8g4q-xg66-9fp4
What are Similar Vulnerabilities to BIT-dotnet-sdk-2024-43485?
Similar Vulnerabilities: CVE-2023-29331 , CVE-2025-27513 , CVE-2024-21907 , CVE-2023-24936 , CVE-2022-30190
