CVE-2024-21634
Denial-of-service vulnerability in ion-java (Maven)

Denial-of-service No known exploit

What is CVE-2024-21634 About?

This vulnerability in `ion-java` allows an attacker to craft Ion data that triggers a `StackOverflowError` during deserialization or `IonValue` model processing. This leads to a denial-of-service condition by crashing the application. Exploitation is achieved by providing specific malformed Ion data, making it straightforward.

Affected Software

com.amazon.ion:ion-java <1.10.5

Technical Details

A potential denial-of-service exists in ion-java for applications that deserialize Ion text encoded data or process IonValue model instances using specific methods. An attacker can craft Ion data with deeply nested structures or recursive definitions. When ion-java attempts to deserialize this malformed data, or when certain IonValue methods are invoked on the in-memory representation, the processing may lead to excessive recursion in the library's internal call stack. This ultimately results in a StackOverflowError, causing the application to crash and leading to a denial-of-service.

What is the Impact of CVE-2024-21634?

Successful exploitation may allow attackers to cause a denial-of-service by triggering a `StackOverflowError`, crashing the application and making it unavailable.

What is the Exploitability of CVE-2024-21634?

Exploitation complexity is low. An attacker needs to supply specially crafted Ion data to an application that uses ion-java for deserialization or IonValue model processing. No authentication is typically required if the application processes Ion data from untrusted sources. Privilege requirements are minimal, requiring only the ability to send the malicious Ion data to the target application. This is primarily a remote attack vector. The risk factors include accepting Ion data from untrusted sources and not validating its structural integrity or depth before processing. Workarounds include trusting only data from known, secure sources.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-21634?

Available Upgrade Options

  • com.amazon.ion:ion-java
    • <1.10.5 → Upgrade to 1.10.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-21634?

Similar Vulnerabilities: CVE-2018-1000876 , CVE-2021-29425 , CVE-2021-23840 , CVE-2020-25695 , CVE-2023-34053

All Rights reserved 2025
Privacy Policy