CVE-2024-21907
Insecure Defaults vulnerability in Newtonsoft.Json (NuGet)
What is CVE-2024-21907 About?
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Denial of Service (DoS) due to insecure defaults. High nesting levels in JSON input can cause StackOverflow exceptions or excessive CPU/RAM usage during serialization or deserialization. This allows an attacker to render the application unresponsive.
Affected Software
Technical Details
The vulnerability in Newtonsoft.Json versions prior to 13.0.1 stems from its default handling of deeply nested JSON structures without imposing limits. During deserialization (JsonConvert.DeserializeObject), high nesting levels (e.g., '>10kk' for significant latency) in the input JSON can lead to an algorithmic complexity attack, consuming excessive CPU and RAM, thus exhausting resources and causing a DoS. During serialization (JsonConvert.Serialize, JObject.ToString), similar deep nesting can trigger a StackOverflow exception when the recursion depth exceeds system limits (around 20k nesting levels). The vulnerability affects any application using these versions, and IIS applications are particularly affected due to their behavior of stopping instance restarts.
What is the Impact of CVE-2024-21907?
Successful exploitation may allow attackers to cause the affected application to experience high CPU and RAM usage, or crash due to StackOverflow exceptions, leading to a temporary unavailability of services.
What is the Exploitability of CVE-2024-21907?
Exploitation of this vulnerability involves crafting a deeply nested JSON structure and sending it to an application that deserializes or serializes JSON using vulnerable versions of Newtonsoft.Json. The complexity is moderate; while the concept is simple, achieving a significant impact requires a large, specifically structured JSON payload. No authentication or privileged access is typically required, as the attack relies on input processing. This can be exploited remotely if the application accepts and processes untrusted JSON input. The primary prerequisite is the application's reliance on Newtonsoft.Json versions prior to 13.0.1 without configured MaxDepth settings. Applications exposing JSON endpoints that handle untrusted input are at high risk, especially those that do not limit input size or nesting depth. IIS applications have an increased risk factor due to their post-DoS behavior.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21907?
Available Upgrade Options
- Newtonsoft.Json
- <13.0.1 → Upgrade to 13.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://alephsecurity.com/vulns/aleph-2018004
- https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66
- https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66
- https://vulncheck.com/advisories/vc-advisory-GHSA-5crp-9r3c-p9vr
- https://alephsecurity.com/2018/10/22/StackOverflowException
- https://github.com/JamesNK/Newtonsoft.Json/issues/2457
- https://github.com/JamesNK/Newtonsoft.Json/pull/2462
- https://github.com/JamesNK/Newtonsoft.Json/pull/2462
- https://github.com/JamesNK/Newtonsoft.Json
- https://alephsecurity.com/vulns/aleph-2018004
What are Similar Vulnerabilities to CVE-2024-21907?
Similar Vulnerabilities: CVE-2023-29331 , CVE-2024-43485 , CVE-2025-27513 , CVE-2023-24936 , CVE-2022-30190
